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FEATURES   OF  SEVEN  AUDIT  SOFTWARE  PACKAGES-- 
PRINCIPLES  AND  CAPABILITIES 

Albrecht  J.  Neumann 


The  objectives  of  the  auditing  process  are 
illustrated  by  a  review  of  auditing  standards  for 
external  and  internal  auditors.  Some  basic  con- 
cepts of  auditing  are  defined.  Methods  for  compu- 
terized internal  control  are  outlined.  Charac- 
teristics and  features  for  seven  major  commercial- 
ly available  audit  software  packages  are  described 
under  common  headings  dealing  with  the  computer 
environment,  input  file  characteristics,  history, 
availability  and  cost,  and  general  system  charac- 
teristics. Basic  functions  and  specialized  audit 
functions  of  software  packages  such  as  numerical 
and  logical  operations,  stratification  and  aging, 
selection,  and  summarization  are  described  for  the 
various  packages. 


Key  words:  Audit  packages;  audit  routines;  audit 
software;  auditing;  auditing  standards;  computer 
assisted  auditing;  computer  auditing. 


1.  INTRODUCTION 


The  advent  of  digital  computers  has  had  considerable 
impact  on  the  auditing  profession.     The  computer  as  an 
auditor's  tool  provides  a  powerful  extension  of  the 
auditor's  capability,  but  the  auditing  of  computerized 
organizations  has  placed  new  burdens  on  the  auditing 
profession. 

This  study  defines  and  clarifies  some  auditing  terms 
and  concepts,  reviews  some  of  the  underlying  principles  of 
auditing,  and  then  provides  an  overview  of  the  features  of 
generalized  software  tools  which  can  be  used  by  auditors. 

This  report  primarily  addresses  the  computer 
professional  who  is  interested  in  auditing  problems.  To  a 
lesser  degree  an  auditor  who  is  not  familiar  with  computer 
techniques  may  find  this  report  useful.     Also  managers,  who 
are  neither  auditors  nor  computer  specialists  will  find  this 
report  a  source  of  information,   that  should  help  to 
stimulate  new  computer  applications  in  the  general  area  of 
computer  auditing. 
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2.     AUDIT,   AUDITORS,   and  AUDITING 


Since  this  report  addresses  a  wide  spectrum  of  readers 
with  different  backgrounds  and  interests,  a  review  of  basic 
terms  may  be  helpful   in  reaching  understanding  of  common 
areas  of  concern.     Webster [1]  gives  three  meanings  for  the 
term  Audit: 

1.  A  formal  or  official  examination  and 
verification  of  an  account  book, 

2.  A  methodical  examination  and  review, 

3.  The  final  report  of  an  examination  of  books  of 
account  by  auditors. 

The  dictionary  definitions  indicate  two  extreme 
viewpoints,  a  narrow  one  dealing  only  with  the  examination 
of  account  books,  and  a  more  broad  one  covering  any 
methodical  examination  and  review.     An  auditor   is  a  person 
who  performs  an  audit.   In  one  sense,  an  auditor  may  be  any 
person,  who  checks  the  correctness  of  a  set  of  financial 
statements.     An  auditor  often  is  a  certified  public 
accountant,  a  college  trained,  highly  educated  specialist 
with  many  years  of  professional  experience.     In  another 
sense  an  auditor  may  be  a  computer  or  subject  specialist 
with  no  particular  training   in  accounting  when  non-financial 
auditing,   such  as  quality  audit,   security  audit,  or  computer 
performance  audit  are  the  objectives  of  examination  and 
review.     In  the  profession  of  auditing  two  major  fields  have 
emerged:   those  of  external  and  internal  auditing. 

An  external  auditor  is  a  member  of  a  firm  of  Certified 
Public  Accountants,  who  serves  a  client  who  requires 
auditing  services.     All  public  firms  are  required  by  law  to 
undergo  periodic  external  audits.     Most  often  the  external 
auditor  is  concerned  with  the  examination  of  corporate 
balance  sheets,  and  financial  statements  of  a  firm. 

The  internal  auditor   is  an  employee  of  the  organization 
which  is  being  audited.   Internal  auditing  is  also  concerned 
with  financial  matters,  but  in  addition  may  deal  with 
efficient  use  of  company  resources,  and  the  quality  of  the 
services  or  products  of  an  organization. 

Using  the  broader  meaning  of  Webster,   the  term 
"auditing"   is  now  often  applied  to  the  review  of  computer 
and  communications  systems.     In  that  context  Bjork[2]  has 
defined  auditing  as  "the  act  of  monitoring  the  application 
for  compliance  with  accounting  rules  and  practices".  He 
further  states  that  "Auditing  an  application  is  essentially 
certifying  the  integrity  of  the  system  by  verifying  that 
rules  and  policies  dictated  by  laws,  business  agreements. 
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etc.  are  being  followed  by  the  application".  Bjork 
distinguishes  four  types  of  audit  depending  on  whether  the 
audit  occurs  during  the  computer  process  or  after  the 
process,  and  whether  the  auditing  procedure  is  "transparent 
or  non-transparent"  to  the  process  being  audited,  i.e. 
whether  the  process  being  audited  is  aware  of  the  audit  or 
not.     Auditing  in  the  latter  context  has  become  a  function 
of  a  computer  specialist,  who  is  intimately  familiar  with 
the  architecture,  concepts  and  terminology  of  the  hardware 
and  software.  The  traditional   internal  or  external  auditor 
will  have  difficulty  performing  this  kind  of  audit,  and  will 
need  considerable  specialized  knowledge  to  achieve 
successful  results. 

Since  both  management  and  the  auditor  are  vitally 
concerned  with  financial  operations,  efficient  use  of 
resources,  and  useful  products,   it  is  helpful  to  point  out 
the  distinction  between  the  responsibilities  of  auditors  and 
management . 

Tne  external  auditor  examines  financial  statements  of  a 
firm  and  expresses  an  opinion  that  the  firm's  financial 
position  has  been  represented  in  a  fair  manner.  In  this 
opinion  he  exercises  independent  judgment. 

The  internal  auditor  however,  acts  as  a  management 
investigator,  he  has  an  interest  in  matters  of 
organizational  efficiency,  proper  use  of  resources,  and 
effectiveness  of  organizational  products.     He  reports  on 
"what  is  done,  who  does  it,  where  it  is  done,  and  how  well 
it  is  done" [3] . 

Management,   in  contrast,   is  responsible  for  adoption  of 
a  sound  accounting  policy,  for  the  maintenance  of  accounts, 
for  the  safeguarding  of  the  company's  assets,  and  for 
establishment  and  maintenance  of  internal  controls. 

Standards  for  external  auditors  have  been  documented 
over  the  years  by  the  American  Institute  of  Certified  Public 
Accountants.     The  standards  prescribe  scope,  duties,  general 
and  specific  principles,  and  the  form  of  reports  to  be 
prepared.     They  recently  have  been  codified  and  collected  in 
one  volume[4].     Similarly  guidelines  and  standards  have  been 
prepared  for  the  internal  auditor  by  the  U.S.  Comptroller 
General [5].  They  are  used  widely  both  within  and  outside  of 
the  Government.     The  Institute  of  Internal  Auditors 
presently  is  engaged  in  codification  of  standards  for  the 
internal  auditing  profession.     The  following  sections 
summarize  these  auditing  standards,  which  give  the  non- 
auditor  a  good  perspective  on  auditing  goals  and  objectives. 
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3.      AUDITING  STANDARDS 


The  GAO  Auditing  Standards  deal  with  three  major  areas: 
General  Standards,  Examination  and  Evaluation  Standards,  and 
Reporting  Standards.     These  standards  are  summarized  in  the 
following  paragraphs  and  describe  the  general  nature  of  the 
auditing  process.  The  reader   is  cautioned  not  to  interpret 
this  report  as  an  official  standard  or  guideline.  For 
specific  wording  the  reader  is  referred  to  the  original 
document  which  forms  the  basis  for  this  report[5J.  Although 
the  GAO  standards  are  prepared  for  governmental  auditing, 
they  are  also  used  by  non-governmental  internal  auditors, 
and  there  is  considerable  similarity  between  the  external 
auditing  standards  and  the  GAO  document.     Most  standards 
cited  here  have  broad  application  for  all  kinds  of  audit. 


3.1  General 

There  are  four  General  Standards  specified,  which  deal 
with  the  scope  of  audits,  qualifications  of  auditors, 
independence  of  auditors,  and  the  matter  of  "due 
professional  care". 

3.1.1  Scope  of  Audit  Work.  The  first  general  standard  for 
auditing  is: 

The  full  scope  of  an  audit  of  a  governmental 
program,   function,  activity,  or  organization  should 
encompass : 


1.  An  examination  of  financial  transactions, 
accounts,  and  reports,   including  an 
evaluation  of  compliance  with  applicable 
laws  and  regulations. 

2.  A  review  of  efficiency  and  economy  in  the 
use  of  resources. 

3.  A  review  to  determine  whether  desired 
results  are  effectively  achieved. 

In  determining  the  scope  for  a  particular  audit, 
responsible  officials  should  give  consideration  to  the 
needs  of  the  potential  users  of  the  results  of  the 
aud  i t . 
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These  general  objectives  include  analysis  of  financial 
transactions,  and  compliance  with  applicable  laws  and 
regulations  to  determine  whether  the  audited  organization  is 
maintaining  effective  control  over  revenues  and 
expenditures,  assets  and  liabilities,  whether  there  is 
proper  accounting  for  resources,  liabilities  and  operations, 
whether  the  financial  reports  are  accurate,  and  contain 
useful  data  fairly  representing  the  financial  state  of  the 
organization,  and  whether  applicable  laws  and  regulations 
are  being  followed.     Included  in  an  audit  may  be  a  review  of 
procedures,  of  possible  duplication  of  effort,  of 
inefficient  operations  and  faulty  buying  practices,  and  of 
waste  of  materiel  and  personnel.   Finally,  the  auditor  will 
consider  results  achieved,  benefits  obtained,  and  whether 
objectives  have  been  met. 

3.1.2  Qualifications.  The  second  General  Standard  for 
auditing  is: 

The  auditors  assigned  to  perform  the  audit  must 
collectively  possess  adequate  professional  proficiency 
for  the  tasks  required. 

Audits  vary  in  scope  and  depth.  A  team  effort  often  is 
required  to  provide  the  mix  of  financial  expertise, 
familiarity  with  laws  and  regulatory  requirements,  and 
systems  analysis  required  to  assess  operating  efficiencies 
and  effectiveness  of  program  results.  Additional  skills 
required  often  are  familiarity  with  statistical  techniques, 
computers  and  data  processing,  and  various  technical  and 
engineering  specialties. 

3.1.3  Independence.  The  Third  General  Standard  for  auditing 
is : 

In  all  matters  relating  to  the  audit  work,  the  audit 
organization  and  the  individual  auditors  shall  maintain 
an  independent  attitude. 

This  standard  places  upon  the  auditor,  or  the  auditing 
organization  the  responsibility  for  impartiality. 
Independence  must  be  maintained  to  produce  unbiased 
opinions,  conclusions,  and  judgments.  If  this  should  be  not 
possible  for  personal,  external,  or  organizational  reasons 
this  must  be  prominently  stated  in  the  auditors  report. 

3.1.4  Due  Professional  Care.  The  fourth  General  Standard  for 
auditing  is: 

Due  professional  care  is  to  be  used  in  conducting  the 
audit  and  in  preparing  related  reports. 


-5- 


This  requires  high  professional  standards  to  be 
exercised  in  all  audit  work.     This  standard  implies  some 
limited  responsibility  for  disclosure  of  irregularities  or 
non-compliance.     The  standard  imposes  on  the  auditor  a 
requirement  to  be  alert  for  situations  that  could  indicate 
fraud,   inefficiency,  waste,   improper  use  of  resources,  or 
lack  of  effectiveness.     The  audit  process  is  not  a 
substitute  for  internal  control.     Management  is  responsible 
for  enforcement  of  adherence  to  policy,  and  for  prevention 
of  misuse  of  resources.  The  auditing  process  is  a  test  of 
internal  control,  rather  than  a  substitute  for  it. 

Exercise  of  due  professional  care  means  use  of  good 
judgment  in  the  choice  of  tests  and  procedures,  doing  a  good 
job  in  applying  them,  and  preparing  of  good  reports.  The 
auditor  must  consider  the  audit  objectives,   the  relative 
materiality  or   importance  of  matters  to  which  the  procedures 
will  apply,  the  effectiveness  of  internal  controls,  and 
costs  in  relation  to  derived  benefits  for  the  work  being 
performed. 

The  quality  of  audit  work  depends  upon  the  degree  to 
which  tests  and  procedures  are  competently  applied, 
conclusions  are  based  on  pertinent  and  documented  facts, 
conformance  of  the  audit  work  to  the  evaluation  standards 
and  reporting  standards  outlined  below,  and  on  critical 
exercise  of  judgment  in  all  phases  of  the  audit  process. 


3.2     Examination  and  Evaluation  Standards 

Five  standards  deal  with  the  details  of  examining  and 
evaluating:  covering  areas  of  planning,  proper  supervision, 
compliance  with  legal  and  regulatory  requirements,  the 
evaluation  of  internal  controls,  and  the  matter  of  evidence. 

3.2.1  Planning.  The  first  examination  and  evaluation 
standard  for  auditing  is: 

Work  is  to  be  adequately  planned. 

Such  planning   is  especially  important  if  several 
organizations  are  involved  in  the  audit,  coordination 
between  auditors  is  required,  and  division  of  assignments  is 
required.   It  is  often  desirable  to  have  one  audit  satisfy 
requirements  of  several  levels  of  the  organization, 
requiring  different  emphasis  and  viewpoints. 
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A  written  audit  program  or  audit  plan  needs  to  be 
prepared,  which  serves  to  communicate  the  audit  objectives 
to  all  concerned,  and  provides  a  vehicle  of  control  during 
the  audit.     Such  a  plan  will  contain  purpose  and  scope, 
objectives,  background,  definitions  of  terms,  a  description 
of  procedures  to  be  used,  and  reporting  requirements. 
Planning  also  includes  provisions  for  access  to  working 
papers  by  other  auditors  at  a  later  date,  when  required. 

3.2.2  Supervision.  The  second  examination  and  evaluation 
standard  for  auditing  is: 

Assistants  are  to  be  properly  supervised. 

This  requires  supervisory  review  during  all  phases  of  the 
audit,  both  of  the  substance  and  the  method  of  auditing. 
Such  review  should  ensure  conformance  to  auditing  standards, 
adequate  recording  of  adherence  to  the  audit  plan,  adequate 
documentation  of  findings  and  conclusions,  and  achievement 
of  audit  objectives. 

3.2.3  Legal  and  Regulatory  Requirements.  The  third 
examination  and  evaluation  standard  for  auditing  is: 

A  review  is  to  be  made  of  compliance  with  legal  and 
regulatory  requirements. 

Especially  in  governmental  auditing  compliance  with  laws  and 
regulations  is  important.  Government  activities  are 
creatures  of  law  and  detail  pertaining  to  basic  legislation, 
hearing  reports,  legislative  committee  reports,  court 
decisions,   state  and  local  legislation  must  be  considered 
here.     Other  requirements  include  administrative  memoranda, 
guidelines  and  administrative  regulations  by  all  appropriate 
levels  of  government. 

The  nature  and  purpose  of  the  review  will  vary 
according  to  the  emphasis  of  the  audit,  whether   it  focuses 
on  financial  matters,  economy  and  efficiency  of  operations, 
or  program  results,  or  all  three  of  these. 

3.2.4  Internal  Control.  The  fourth  examination  and 
evaluation  standard  for  auditing  is: 

An  evaluation  is  to  be  made  of  the  system 
of  internal  control  to  assess  the  extent 
it  can  be  relied  upon  to  ensure  accurate 
information,   to  insure  compliance  with 
laws  and  regulations,  and  to  provide  for 
efficient  and  effective  operations. 

This  standard  permits  the  auditor  to  determine  how  much 
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reliance  can  be  placed  on  the  internal  controls  of  the 
audited  organization.  Internal  control  refers  to  the 
organization  and  methods  which  have  been  set  up  to  safeguard 
assets,   insure  accuracy  and  reliability  of  accounting  data, 
promote  operational  efficiency,  and  encourage  adherence  to 
established  managerial  policies.  Concepts  included  here  are 
separation  of  duties  in  critical  areas,  a  system  of 
authorization  and  record  procedures  providing  effective 
control  over  assets,  liabilities,  revenues  and  expenses,  and 
systems  and  procedures  for  personnel  management  and  internal 
review . 

Since  it  is  difficult  and  expensive  to  completely 
evaluate  all  internal  controls,  judgment  is  required  to 
select  those  aspects  which  are  important  to  the  issues  being 
audited.  Again  the  extent  of  controls  may  cover  any  one  or 
all  of  financial  areas,  matters  of  efficiency  and  economy, 
or  program  results.  The  internal  review  provides  a  basis  for 
application  of  further  tests  and  use  of  auditing  tools  such 
as  auditing  software  systems  described  later, 

3.2.5  Evidence.  The  fifth  examination  and  evaluation 
standard  for  auditing  is: 

Sufficient,  competent,  and  relevant  evi- 
dence is  to  be  obtained  to  afford  a  reasonable 
basis  for  the  auditor's  opinions,  judgments, 
conclusions , and  recommendations. 

Evidence  includes  records  of  testimonials,  documentary 
evidence  such  as  letters,  contracts,  computer  printouts,  as 
well  as  analytical  evidence  secured  by  analysis  of 
information  the  auditor  has  obtained.     Regardless  of  the 
type  of  evidence,   it  must  meet  the  basic  tests  of 
sufficiency,  competence,  and  relevance.     Details  must  be 
documented  in  the  auditor's  working  papers,  which  must  also 
include  the  methods  used  to  obtain  the  data.  "Sufficiency 
is  the  presence  of  enough  factual,  adequate  and  convincing 
evidence  to  lead  a  prudent  person  to  the  same  conclusion  as 
the  auditor" [6].  Judgment  is  required  here,  and  statistical 
methods  may  be  employed  to  establish  sufficiency,  when 
appropriate.     Competent  evidence  should  be  the  best 
attainable  through  the  use  of  reasonable  audit  methods. 
Relevance  refers  to  the  relationship  of  the  information  to 
its  use. 

Working  papers  are  the  link  between  the  auditor's  field 
work  and  the  auditor's  report.     They  contain  the  accumulated 
evidence  in  support  of  conclusions  and  recommendations  in 
the  report.  Auditors  need  to  adopt  reasonable  procedures  to 
ensure  safe  custody  and  retention  of  their  working  papers  to 
satisfy  legal  and  administrative  requirements.  General 
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guidelines  included  in  reference  [5]   include  completeness  and 
accuracy,  clarity  and  under standabil ity ,  legibility  and 
neatness,  and  pertinence. 

3.3    Reporting  Standards 

Four  reporting  standards  are  identified  in  the 
Comptroller  General  Report,  dealing  with  form  and 
distribution  of  reports,   timeliness,  content  guidelines  and 
financial  reports.     These  standards  are  summarized  in  the 
following  paragraphs. 

3.3.1  Form  and  Distribution.  The  first  reporting  standard 
for  auditing  is: 

Written  audit  reports  are  to  be  submitted 
to  the  appropriate  officials  of  the  organizations 
requiring  or  arranging  for  the  audits.  Copies  of 
the  reports  should  be  sent  to  other  officials  who 
may  be  responsible  for  taking  action  on  audit 
findings  and  recommendations  and  to  others 
responsible  or  authorized  to  receive  such  reports. 
Copies  should  also  be  made  available  for  public 
inspect  ion . 

Specific  reasons  for  audit  reports  are  stated:  they 
should  be  widely  communicated  to  responsible  officials  at 
all  levels,   they  aid  in  avoiding  misunderstandings,  they 
permit  public  inspection  of  the  auditor's  findings,  and  they 
facilitate  followup  to  determine  whether  the  recommendations 
have  been  followed. 

3.3.2  Timeliness.  The  second  reporting  standard  is  : 

Reports  are  to  be  issued  on  or  before  the 
dates  specified  by  law,  regulation,  or 
other  arrangement  and,   in  any  event,  as 
promptly  as  possible  so  as  to  make  the 
information  available  for  timely  use  by 
management  and  by  legislative  officials. 

Interim  communication  of  results  is  encouraged,  but  is 
not  a  substitute  for  a  final  report. 


3.3.3  Content.  The  tnird  reporting  standard  enumerates 
content  designators  that  should  be  included  in  the  report. 
Topics  mentioned  are  content,  conciseness,  accuracy, 
completeness,   fairness,  objectivity,  adequate  support, 
recommendations,  constr uctiveness  of  tone,   issues  needing 
further  study,  recognition  of  noteworthy  accomplishments. 
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views  of  responsible  officials,  scope  and  objectives  of 
audit,  and  justification  for  omission  of  privileged 
information.     For  further  detail  the  reader  is  referred  to 
reference [ 4 ] . 

3»3»4  Financial  Reports.  The  fourth  reporting  standard  is: 

Each  Audit  report  containing  financial  information 
reports  shall: 

1.  Contain  an  expression  of  the  auditor's 
opinion  as  to  whether  the  information  in 
the  financial  reports  is  represented 
fairly  in  accordance  with  generally 
accepted  accounting  principles (  or  with 
other  specified  accounting  principles 
applicable  to  the 

organization. . .audited) , applied  on  a  basis 
consistent  with  that  of  the  preceding 
reporting  period.     If  the  auditor  cannot 
express  an  opinion,  the  reasons  therefor 
should  be  stated  in  the  audit  report. 

2.  Contain  appropriate  supplementary 
explanatory  information  about  the  contents 
of  the  financial  reports  as  may  be 
necessary  for  full  and  informative 
disclosure  about  the  financial  operations 
of  the  organization,  program,  function  or 
activity  audited.  Violations  of  legal  or 
other  regulatory  requirements,  including 
instances  of  noncompliance,  and  material 
changes  in  accounting  policies  and 
procedures,  along  with  their  effect  on  the 
financial  repor ts , shall  be  explained  in 
the  audit  report. 


In  summary  one  may  group  these  standards  into  two 
areas,   those  that  deal  with  characteristics  and  qualities  of 
the  audit  and  the  auditor,  and  those  that  are  related  to  the 
object  of  the  audit  and  the  results  desired.   In  the  first 
area  are  standards  dealing  with  the  scope  of  the  audit, 
qualifications  of  the  auditors,  matters  of  due  professional 
care,   independence,  planning  and  supervision.  In  the  second 
area  are  those  dealing  with  review  of  internal  control,  use 
of  judgment  to  develop  proper  tests,   the  producing  of 
evidence  to  substantiate  findings,  and  the  generation  of 
timely,  relevant  and  useful  reports. 
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It  is  in  the  second  area  that  computers  have  made  an 
impact,     we  will  focus  on  these  ideas  in  the  next  paragraph. 


4.      INTERNAL  CONTROL,   EVIDENCE  AND  REPORTING 


In  the  early  stages  of  accounting  practice  auditors 
periodically  examined  in  great  detail  the  manner  in  which 
individual  transactions  were  handled  by  an  organization. 
This  independent,  careful,  professional  assessment  formed 
the  basis  for  an  opinion  as  to  the  accuracy  and  reliability 
of  financial  data  of  an  organization.     As  organizations 
grew,   the  number  of  transactions  grew  correspondingly,  and 
detailed  auditing  became  time  consuming,  expensive  and 
placed  prohibitive  burdens  on  management.     Establishment  by 
management  of  internal  checks  on  the  internal  financial 
processes  of  an  organization,  has  become  an  acceptable 
substitute  for  detailed  auditing  of  each  transaction. 

The  term  internal  control  has  been  defined  as:  "the 
general  methodology  by  which  management  is  carried  on  within 
an  organization;  also  any  of  the  numerous  devices  for 
supervising  and  directing  an  operation  or  operations 
generally" [ 7] .   Internal  control  acccompl ishes  three  major 
objectives.   First,   the  "methodology"   is  designed  to  insure 
that  the  accounting  system  provides  accurate,  complete, 
reliable  and  up-to-date  information  for  making  of  management 
decisions.  Second,   it  is  intended  to  insure  compliance  with 
policy  directives,  and  legal  requirements.     And  finally,  it 
protects  the  organization  from  carelessness,  inefficiency 
and  outright  fraud. 

With  mechanization  of  accounting  functions  and  the 
introduction  of  computers  some  of  the  methods  of  internal 
control  have  changed.     New  tools  have  become  available,  and 
some  of  the  manual  methods  are  no  longer  applicable.  With 
advent  of  machines  some  functions  previously  performed  by 
people,  are  now  performed  by  machines.  The  basic  principle 
of  control  of  "division  of  duties  and  responsibilities" 
still  remains,  but  a  shift  of  duties  from  people  to  machines 
has  eliminated  the  need  for  internal  control  over  people, 
but  has  introduced  the  need  to  establish  controls  over 
machines . 

Next  there  is  the  matter  of  audit  evidence.  Mautz[8] 
enumerates  types  of  audit  evidence.  In  addition  to  physical 
examination,   statements  by  officers,  employees,  and  third 
parties  and  documentation,  he  lists  calculations  by 
auditors,   satisfactory  internal  control  procedures, 
subsidiary  records  or  detail  records  with  no  significant 
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indications  of  irregularity,  and  interrelationships  within 
the  data  examined.     The  last  three  types  can  be  supported  by 
computer  operations  and  specialized  software  which  will  be 
discussed  in  the  following  sections. 

And  finally  preparation  of  reports  is  subject  to 
support  by  computers.  A  major  portion  of  computer  aids 
described  in  the  following  sections  can  be  classified  as 
report  generators. 


5.      COMPUTERS  AND  AUDITING 


The  advent  of  digital  computers  some  thirty  years  ago 
has  introduced  a  new  element  into  auditing  activities.  The 
computer  as  part  of  the  organization  to  be  audited  is 
presenting  some  difficulties  for  the  auditor.     At  the  same 
time  the  computer  has  become  a  valuable  tool  for  the 
auditor.  Two  auditing  concepts  that  have  been  affected  by 
computerization  are  audit  trails  and  internal  control. 


5.1     Audit  Trail 

As  computers  and  computer  related  procedures  have 
become  part  of  the  accounting  systems  of  organizations,  new 
complexities  have  confronted  the  auditor.  One  important 
facet  in  accounting  practice  is  the  maintenance  of  an  audit 
trail,   i,e.   the  capability  to  trace  a  sequence  of 
transactions  from  the  source  to  the  final  result.  In 
manually  maintained  accounting  books  this  is  done  through 
auditor  readable  references  from  one  entry  to  others  in 
other  related  documents.     In  accounts  which  are  maintained 
in  form  of  machine  readable  records  human  tracing  of  audit 
trails  often  is  no  longer  possible.  Auditors  speak  of 
auditing  "around  the  computer",  and  of  auditing  "through  the 
computer "[ 9 ] ,  In  the  first  case  inputs  and  outputs  from  the 
computer  are  examined,  but  the  internal  processing  of  the 
computer   is  not  considered.  In  the  latter  case,   the  internal 
operations  of  the  computer  are  considered  by  the  auditor  as 
well.  In  simple  computer  applications,  where  programs  may 
consist  of  several  hundred  instructions,   it  is  possible  to 
examine  a  computer  program  line  by  line.     In  large 
appl ications , involv ing  multi-programming,  where  programs  may 
consist  of  many  tens  of  thousands  of  instructions,  this  is 
no  longer  possible  and  the  auditor  has  lost  the  capability 
to  inspect  and  judge  computer  programs.     Both  the  loss  of 
audit  trails  and  the  inability  to  assess  computer  program 
quality  have  put  a  great  burden  on  the  auditor.  The  loss  of 
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audit  trails  is  being  overcome  by  making  special  provisions 
in  sof tware , which  will  be  discussed  under  the  topic  of 
automated  internal  controls.     A  third  factor  introduced  by 
computers  is  the  dependence  of  the  auditor  on  computer 
specialists.  This  leads  to  loss  of  the  auditor's 
"independence",  whicn  may  seriously  affect  the  quality  of 
the  audit. 

Computers  as  an  aid  to  the  auditor  have  become  an 
important  topic  in  the  auditing  profession,  and  continue  to 
attract  the  interest  of  auditors,  accountants,  and  suppliers 
of  computer  services  and  software. 


5.2     Automated  Internal  Control 

The  ability  of  computers  to  perform  many  repetitive 
operations  at  high  rates  of  speed  with  great  accuracy 
provides  new  techniques  for   internal  control.     Some  of  the 
applicable  techniques  are  listed  here. 

5.2.1  Record  Counts.  Accuracy  and  reliability  of  results  of 
a  financial  system  are  impaired  unless  all  contributing  data 
have  actually  been  processed.  Data  may  be  lost  in  handling 
of  punched  cards,  or   in  transcription  of  data  from  one 
medium  to  another.     Automatic  counting  of  records  at  various 
stages  in  the  processing,  and  comparison  of  record  counts 
provide  assurance  that  no  data  have  been  lost. 

5.2.2  Control  Totals.  An  effective  method  of  controlling 
both  the  number  of  records  processed,  and  the  accuracy  of 
processing,   involves  the  addition  of  specific  data  elements 
taken  from  each  record  processed.  These  may  be  hash  totals, 
or  totals  of  significant  footings.  Hash  totals  may  be  the 
summation  of  stock  numbers,  account  numbers,  or  work  order 
numbers;   they  only  have  control  significance.  Significant 
control  totals  may  be  totals  of  dollar  amounts  or 
quantities,  and  can  be  used  for  other  useful  purposes 
besides  control.     Comparison  of  control  totals  from  time  to 
time  provide  excellent  means  to  detect  errors. 

5.2.3  Zero  Balance  Checks.  A  beginning  balance  is  made  from 
existing  data.  As  the  data  are  processed,  significant  data 
are  accumulated,  and  at  the  end  of  the  process  the 
accumulation  is  subtracted  from  the  original  balance.  The 
result  should  be  zero. 

5.2.4  Limit  Checks.   Predetermined  upper  and  lower  limits  may 
be  established,  and  each  record  can  be  checked  automatically 
for  being  below,  within  or  above  the  specified  range.  This 
method  can  be  used  to  flag  unreasonable  amounts,  and 
provides  clues  to  the  reasonableness  of  data. 
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5.2.5  Sequence  Checks.  The  ability  of  comparing  sequential 
control  numbers,  permits  location  of  records  that  are  out  of 
sequence,  gaps  in  files,  and  duplicate  numbers. 

5.2.6  Self  Checking  Numbers.  Transmission  accuracy  or 
transcription  accuracy  of  numbers  can  be  verified  by 
processing  of  check-digits,  which  are  attached  to  the 
significant  digits,  and  which  serve  to  indicate  error 
conditions. 

5.2.7  Editing  Routines.  Editing  routines  are  primarily  used 
to  test  for  data  compatibility.     They  however  do  not  assure 
that  data  are  factual.  A  work  order  number  may  be  matched 
against  a  number   in  a  work  order  number  table.  This  does  not 
assure  that  the  right  work  order  number  was  used. 


5.3     Audit  Software 

Computers  permit  the  auditor  to  examine  more  material 
in  shorter  time,  permit  the  gathering  of  evidence  with  the 
appropriate  detail  from  a  larger  reservoir  of  resources,  and 
permit  professional  documentation  required  by  good  auditing 
practice.     Many  of  the  available  computer  programs  for 
routine  data  processing  can  be  used  for  auditing  purposes 
such  as  routines  for  sorting,  merging,  copying  and  comparing 
of  large  automated  files. 

Computer  aided  auditing   is  especially  useful  if  there 
are  large  volumes  of  transactions,  significant  fragmentation 
of  source  data,  or  complicated  segmentation  by  organization 
component  or  financial  structure.   It  also  is  applicable  if 
many  records  need  to  be  segregated  by  audit  categories  such 
as  vendor  number,  account  number,  project  code  etc. 

Also  programs  developed  for  assistance  to  systems 
development  often  are  useful  to  the  auditor.     Such  programs 
may  provide  capabilities  for  editing,  performance 
measurement,  logging  and  journaling,  simulation,  testing, 
and  documentation.     Application  of  most  of  these  programs  do 
however  require  some  knowledge  of  computer  operations. 

General  purpose  packages  have  been  developed,  which  are 
based  on  simplified  procedures  and  do  not  require  special 
computer  knowledge.     These  packages  permit  selection  of 
records  based  on  a  variety  of  criteria,  classification  into 
categories  determined  by  the  auditor,  and  complex 
manipulations  of  records  using  arithmetic  as  well  as 
relational  and  logical  operations.  Finally  complex 
mathematical  methods  are  available  for  statistical  analysis, 
which  help  in  determination  of  the  reliability  of  data 
examined.     Results  of  these  "generalized  audit  pacKages"  are 
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presented   in  a  form  which  is  most  suitable  to  the  auditor, 
in  a  format  consistent  with  the  accounting  practices  of  the 
organization  being  audited,  and   in  a  form  which  facilitates 
analysis  and  exercise  of  judgment. 

Use  of  these  techniques  varies  in  complexity.  In  the 
simplest  case  a  few  simple  questions  need  to  be  answered  by 
the  auditor,  on  preprinted  forms.  The  answers  are  translated 
into  punched  cards,  which  in  combination  with  a  prerecorded 
program  on  a  computer  readable  medium  provide  the  computer 
generated   information  needed  by  the  auditor.  In  the  most 
complex  case  the  auditor  will  have  some  programming 
capability  in  a  higher  level  language,  and  will  be  able  to 
take  existing  program  packages,   select  parts  according  to 
need,  combine  them  with  other  ready  made  programs,  write 
necessary  modifications,  and  use  the  total  program  assembly 
for  the  specialized  application.     This  requires  special 
training  in  computer  technology  and  experience  in  using 
computers.  Computer  audit  specialists  serve  in  this 
capability  and  a  special  branch  of  the  auditing  profession 
now  is  specializing   in  this  field. 

In  the  following  pages  features  of  a  few  "general  audit 
packages"  are  described   in  some  detail. 
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6.      FEATURES  OF  AUDIT  SOFTWARE  PACKAGES 


The  following  sections  give  an  overview  of  a  few 
selected  audit  software  packages.  There  are  a  large  number 
of  packages  available  in  an  active  and  ever  expanding 
software  market.     A  survey  by  Adams  and  Mullarkey  lists  17 
packages   [10].     The  packages  selected  for  this  paper  cover  a 
few  of  the  most  popular  ones,  according  to  a  recent  study  by 
the  Institute  of  Internal  Auditors   [11].     Included  are 
packages  developed  by  external  auditing  firms,  commercial 
software  houses,  and  a  government  agency  interested  in 
internal  auditing.  Selection  of  packages  for  this  study  does 
not  imply  a  rating  of  merit,  and  the  arrangement  in  the  text 
is  alphabetical.  The  categorization  of  features  attempts  to 
bring  all  packages  on  a  common  denominator,  but  a  detailed 
comparison  of  features  cannot  be  made  in  any  consistent 
manner  because  of  the  diversity  of  auditing  viewpoints 
reflected   in  the  packages.     Technical  details  listed  for  the 
packages  were  obtained  from  documentation  available  at  the 
time  of  writing  and  are  given  for   illustrative  purposes 
only.     Draft  copies  were  made  available  to  the  vendors  whose 
products  are  described   in  this  report,   their  comments  were 
solicited,  and  were  incorporated  where  feasible.  Information 
presented  here  reflects  the  state  of  the  systems  described 
as  of  March  1977.     Details  should  be  verified  with  each 
individual  supplier   if  the  data  are  used  for  specification 
purposes.     Any  evaluation  of  particular  merits  or  demerits 
of  features  or  detail  capabilities  will  need  a  detailed 
requirements  analysis  by  the  interested  party,  and  an 
evaluation  of  features  of  a  candidate  system  in  relation  to 
specified  requirements.     An  overview  of  an  evaluation 
methodology  is  outlined   in  a  recent  article  by  Knowlton 
[12]  . 

The  following  summaries  of  features  do  however  present 
an  overview  of  capabilities,  and  should  as  such  serve  a 
useful  purpose,  listing  general  descriptions  of  seven 
typical  packages,  characteristics  of  input  files  required, 
some  basic  utility  functions  included,  mathematical  and 
logical  capabilites,  and  specialized  audit  functions  such  as 
summarization,  selection,  classification,  and  report 
generation . 
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7.      GENERAL  DESCRIPTION  OF  PACKAGES 


This  section  gives  an  overview  of  the  history  of  the 
packages  under  consideration,  and  a  brief  system  overview 
for  each  system.     An  address  and  phone  number  are  given  so 
that  further   information  may  be  obtained  easily.  The 
hardware  environment  is  discussed  and  modes  of  use  of  the 
system  are  described.     Availability  and  cost  of  software 
packages  are  indicated. 

7.1     System  Identification 

This  section  lists  system  name,  system 
or ig inator , address  and  a  telepnone  number  where  further 
information  may  be  obtained. 

7.1.1  AUDITAPE. 

HASKINS   &  SELLS 
Certified  Public  Accountants 
1114  Avenue  of  the  Americas 
New  York,  New  York  10036 

(212)  422-9600 

7.1.2  DYL  260. 

DYLAKOR  Software  Systems,  Inc. 
16255  Ventura  Boulevard 
Encino,   California  91436 

(213)  995-0151 

7.1.3  EASYTRIEVE. 
PANSOPHIC  SYSTEMS  INC. 
709  Enterprise  Drive 
Oakbrook,   111    ,  60521 
(312)  986-6000 

Arlington, va.  Office:    (703)  821-8370 

7.1.4  EDP-AUDITOR. 
Cullinane  Corporation 
20  William  Street 
wellesley,  Hass.  02181 
(617)  237-66LJ1 

7.1.5  HEWCAS. 

Heal th, Education  and  Welfare  Computer  Audit  System 
Department  of  Health, Education  and  Welfare  Audit  Agency 
Washington  D.C. 

Chief  Advanced  Techniques  Staff, 
(202)  755-8840 
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7.1.6  MARK  IV/AUDITQR, 
Informatics/  Inc.  System  Products 
21050  Vanowen  Street 

Canoga  Park,  CA  91304 
(213)  887-9121 

7.1.7  SCORE. 

Programming  Methods  Company  of 

Informatics,  Inc. 

1301  Avenue  of  the  Americas. 

New  York,  N.Y.  10019 

SCORE  Product  Manager 

(212)  489-7200 

7.2    Availability  and  Cost  of  Software 

Different  software  distribution  plans  exist.  Software 
to  be  installed  at  a  customer's  site  may  be  available  for 
purchase  or  lease.  Software  may  also  be  available  from 
time-sharing  service  centers.     The  rental  and  purchase  costs 
for  each  of  these  systems  were  obtained  from  the  GSA 
schedule , where  available,  or  from  the  software  vendors.  In 
certain  cases  a  discount  is  allowed  if  more  than  one  copy  of 
the  system  is  acquired  within  the  same  government  agency. 

7.2.1  AUDITAPE.  The  system  is  made  available  under  a 

1 icensing  agreement  that  provides  for  an  annual  license  fee. 
The  annual  fee,  which  is  based  on  actual  usage,  ranges  from 
a  minimum  of  $  100  to  a  maximum  of  $  1200  per  system. 

7.2.2  DYL  260.  Costs  depend  upon  software  modules  and 
supplies  requested,  and  options  of  the  lease  or  purchase 
plan.  Thirty  day  no  cost  trial  available.  Monthly  rental  is 
$120  with  sort  module.  Corresponding  purchase  cost  is 
$8450. No  GSA  contract.     Small  discount  for  multiple  sites. 

7.2.3  EASYTRIEVE.  Available  on  perpetual  license 

basis, including  First  year  maintenance,  1  day  training,  and 
two  sets  of  documentation.  $  12,500  +  $  750  /yr  for 
maintenance.     Discount  available  for  multiple  systems  within 
one  organization. 

7.2.4  EDP-AUDITOR.  EDP-AUDITOR  can  be  purchased  for  $14,400 
on  the  GSA  schedule.  Maintenance,  new  releases,  and  user's 
group  membership  are  $2160  per  year.     EDP-AUDITOR  can  be 
leased  for  $600  per  month  for  a     24  month  lease,  and  $180 
per  month  after  24  months.  The  lease  includes  maintenance, 
new  releases,  and  user's  group  membership.  The  lease  is  also 
under  the  GSA  schedule. 
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7.2.5  HEWCAS ,  The  complete  system  is  available  for  $  800  on 
a  reel  of  tape  from  the  National  Technical  Information 
Service.     This  includes  a  complete  set  of  system 
documentation.     Also  available  to  Government  users  of  the 
INFONET  timesharing  service  who  have  obtained  permission 
from  HEW.  Cost  of  INFONET  Service  is  applicable. 

7.2.6  Mark  IV/AUDITQR.  Mark  IV/Auditor  consists  of  the  Mark 
IV  system  plus  a  library  of  audit  routines.  Mark  IV  can  be 
purchased  or  leased.  Purchase  prices  depend  on  the 
particular  model  and  range  from  $12,000  to  $37,000.  The 
audit  routines  alone  cost  $  3,700.  Over  20  special  features 
are  available  at  prices  between  $1100  and  $13,000  per 
feature.     Mark  IV  is  available  on  the  GSA  schedule.  The 
audit  routines  require  a  version  of  Mark  IV  to  operate. 
Plans  are  being  made  by  the  vendor  to  have  the  audit 
routines  added  to  the  GSA  schedule.  Purchase  price  includes 
first  year  maintenance  and  support,   training  and 
installation.     Discounts  are  available  to  multiple 
installations  under  purchase  or  lease  plans. 

7.2.7  SCORE.  Can  be  purchased  from  Inf ormat ics , Inc .  at  about 
$18,000  for  first  installation.  Additional   installations  can 
be  obtained  at  half  price.  Lease/purchase  plans  are 
available . 

7.3     History  of  Software  Package. 

Historical   information  on  the  implementation  of  the 
software  package  indicates  the  extent  of  development  and 
field  usage.  The  specific  information  concerns  the  date  of 
first  installation  and  the  name  of  significant 
installations . 

7.3.1  AUDI TAPE.  The  system  was  originally  developed  in  1965 
for   internal  use  by  the  firm  in  its  audit  practice.  Based  on 
its  own  experience  and  comiments  from  clients  the  system  was 
adapted  for  external  use  and  is  offered  to  clients  and  other 
organizations.  A  variety  of  tapes  are  available  geared  to 
various  makes  of  computers  and  to  specific  operating 
systems.     There  are  approximately  600  users,   including  city, 
state  and  federal  agencies. 

7.3.2  DYL  260 .  System  offered  since  1973,  over  600 
installed.  Listed  in  Datapro  directory  of  commercial 
packages,  won  1975  Datapro  Award  of  Merit  based  upon 
satisfactory  responses  from  user  survey.     Used  by  General 
Accounting  Office  and  Veterans  Administration. 
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7.3.3  EASYTRIEVE.  Initially  installed  in  1969.  Rights 
acquired  by  present  vendor   in  1973.  Over  750  systems 
installed  as  of  December  1975.  Version  6  released  December 
1975.     Listed  in  DATAPRO  "Hall  of  Fame".  Currently  in  use  in 
US  Department  of  Commerce,  US  Department  of  Agriculture,  and 
other  Government  agencies. 

7.3.4  EDP-AUDITQR.  First  installation  was  in  1970.  Over  350 
systems  are  installed  in  the  U.S.  and  over  400  world-wide. 
Significant  installations:     Montgomery  County  Government, 
Rockville,  Md . ,  Federal  Reserve  Banks  of  Chicago,  Dallas, 
Richmond,  and  San  Francisco,  Philadelphia,  and  Minneapolis, 
National  Automobile  Dealers  Association,  Mc  Lean,  Virginia. 

7.3.5  HEWCAS.  Software  development  started  in  1972  at  the 
HEW  Audit  Agency.  Was  first  available  in  1973.     Released  for 
general  use  1  July  1974.  Has  been  installed  at  US  Civil 
Service  Commission,  HEW  Audit  agency,  US  Department  of 
Labor,  US  Department  of  Commerce,  and  the  US  Government 
Printing  Office. 

7.3.6  Mark  IV/AUDITOR.  First  delivery  of  Mark  IV  was  in 
1968.  More  than  1000  systems  have  been  installed  in  the  US 
and  in  other  countries.  AUDITOR  is  a  special  feature  and  was 
first  introduced  in  1976.     Mark  IV/AUDITOR  has  been 
installed  at  ERDA  in  German town ,Md . 

7.3.7  SCORE.  First  introduced  in  1969.  SCORE  III   in  January 
1970,  SCORE  IV  March  1972.  Over  400  systems  installed.  Some 
Washington  DC  area  installations  include  HUD,  Maritime 
Administration,  Department  of  Agriculture. 


7.4     General  Systems  Characteristics 

The  basic  design  of  an  auditing  software  package  is 
important  in  analyzing  the  potential  performance, 
flexibility,  and  transferability  of  the  package.  Other 
characteristics  are  the  availability  of  separate  functional 
components  of  the  package,  and  the  method  of  combining  these 
components  to  generate  data  and  information  useful  to  the 
auditor.  The  language  in  which  the  package  is  written  is  of 
importance  if  changes  have  to  be  made  to  the  program.  Also 
of  importance  are  the  ability  to  link  to  other  programs,  and 
the  ability  to  accommodate  user  generated  routines,  macros 
or  programs. 
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7.4.1  AUDITAPE,  Tapes  have  been  prepared  for  several  makes 
and  types  of  machines,   including  sets  of  programs  specially 
prepared  and  programs  furnished  by  the  manufacturers. 
Auditapes  are  in  machine  language.     Three  different  types  of 
programs  convert  client  file  records  into  a  standard 
Auditape  format.     IBM  1400  and  Honeywell  200  machines  use 
the  basic  edit  program,  DOS  uses  the  manufacturer's  utility, 
and  OS  and  DOS/VS  use  the  expanded  edit  program.     A  set  of 
specialized  programs  manipulate  these  standardized  files  and 
produce  the  desired  output. 

7.4.2  DYL  260 .  A  report  writer,  data  manipulator,  and  file 
utility  program,  written  in  assembly  language,  and  meant  to 
be  cataloged  and  used  on  the  host  computer.  Required 
processing   is  controlled  by  simple  parameters  input  on 
cards . 

7.4.3  EASYTRIEVE.  The  system  is  written  in  assembly  language 
and  produces  an  audit  report.  It  is  a  load-and-go  system, 
and  does  not  require  intermediate  program  production  and 
compilation.     Options  are  available  for  interfacing  with 
data  base  systems  such  as  IMS  and  TOTAL.  A  CALL  command 
permits  use  of  auditor-written  higher  level  language 
subroutines.  A  macro  processor  command  processor  permits  use 
of  aud i tor -def ined  macro  routines. 

7.4.4  EDP-AUDITQR.  EDP-AUDITOR  is  written  in  assembly 
language  and  produces  an  object  code  program  which  is 
executed  to  produce  the  audit  listing.     This  type  of  system 
is  a  load-and-go  type  system.  Up  to  256  input  files  and  100 
output  files  or  reports  can  be  specified.  A  library  of 
routines  is  available  supporting  six  auditing  areas:  file 
footing  -control;     exception  analyses;     summary  analyses; 
special  processing  routines;     confirmation  of  accounts;  and 
selection  and  sampling.     EDP-AUDITOR  consists  of  the  CULPRIT 
system  plus  the  library  of  audit  routines.     Interfaces  are 
available  for  data  base  management  systems  such  as  IDMS, 
IMS,   DLl,   TOTAL,   DATACOM/DB  etc.    ,   as  well   as  for   the  TSO, 
ROSCOE,  and  wYLBUR  time  sharing  systems.     There  is  a 
complete  cataloging  and  macro  facility  and  exits  are 
provided  to  user  written  programs. 

7.4.5  HEWCAS.  HEWCAS  is  written  in  the  BASIC  programming 
language,  and  produces  COBOL  programs  which  can  be  compiled 
and  executed  on  various  machines.  The  user   is  prompted  for 
the  input  specifications.     Two  simultaneous  files  can  be 
handled  on  input,  with  any  combination  of  media.  Up  to  91 
simultaneous  outputs  are  possible (  one  printer  and  90  disk 
or  tape  files  ).     No  user  written  routines  can  be  used,  but 
produced  COBOL  programs  can  be  saved.     External  program 
linkages  are  only  possible  by  modification  of  the  COBOL 
program. 
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7.4.6  MARK  IV/AUDITQR,   MARK  IV/Auditor    is  written  in 
assembly  language  and  produces  an  assembly  language  program 
which  is  executed  to  produce  results.     The  system  can  be 
considered  a  "load-and-go"  system.     It  consists  of  the  Mark 
IV  system  and  the  library  of  audit  routines.     Mark  IV 
handles  various  data  processing  considerations  in  a  manner 
transparent  to  the  auditor.  The  auditor  specifies  the  file 
characteristics  and  functions  to  be  performed  by  filling  out 
worksheets,  which  are  translated  into  parameter  cards. 
Standard  file  types  and  data  bases  are  automatically 
supported,  multiple  files  coordinated  and  up  to  255  reports 
produced   in  one  pass  of  the  file.     The  auditor  can  sample, 
select,  compute  and  report  by  specifying  selection  criteria 
and  custom  reports  or  by  utilizing  the  library  of  audit 
routines.     The  library  includes  routines  for  aging, 
confirmation  notices,  random  sampling,  monetary  sampling, 
stratification  and  grouping  among  others. 

7.4.7  SCORE.  The  system  is  written  in  COBOL  and  generates 
COBOL  programs  as  output.     Program  generation  is  governed  by 
about  thirty  different  keyword  parameter  cards, of  which 
generally  only  a  few  are  necessary  for  any  given  run.  The 
vendor  states  that  "no  superfluous  PROCEDURE  DIVISION  CODE 
is  generated, so  that  programs  are  only  as  long  as  they  need 
to  be".  The  user  can  insert  his  own  COBOL  code  at  almost  any 
po  int . 

7.5     Modes  of  Use 

The  operator  interaction  with  the  software  package  is 
described  here.     Various  specifications  must  be  supplied  to 
an  auditing  package  describing  client's  file 
characteristics,   functions  toibe  per  formed  ,  and  desired 
presentation  of  results.  The  object  computer  configuration, 
i.e.   the  configuration  of  the  computer  on  which  the  audit 
package  is  run  to  produce  audit  results,  must  also  be 
specified.     These  specifications  can  be  communicated  to  the 
audit  program  in  an  interactive  dialog  from  a  terminal,  or 
they  may  be  entered  by  punched  cards,  requiring  preparation 
of  multiple  choice  forms,  questionnaires,  coding  forms,  or 
other  written  instructions.     Number  of  forms,  detail 
specified,  ability  to  accommodate  changes,  affect  ease  of 
use  of  the  package. 

7.5.1  AUDITAPE.  Specification  sheets  are  filled  out,  and 
form  the  source  for  keypunched  specification  cards.  The 
cards  are  read   into  storage,  and  combined  with  instructions 
from  the  Auditape  system  they  complete  the  program  for  the 
particular  process.  Messages  printed  during  processing,  and 
computer  operator  documentation  include  explanations  for 
operation  of  the  equipment. 
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7.5.2  DYL  260,  Special  layout  sheets  are  provided  to  guide 
writing  and  subsequent  keypunching  of  input  parameters. 
Parameters  grouped  in  these  functional  categories:  program 
control,  file  control  and  definition,  data  selection  and 
manipulation,  report  control  header,  report  titles,  report 
print  line,  job  control.  Certain  processes  can  be  done 
within  these  functional  areas  without  inputting  parameters 
in  other  groups. 

7.5.3  EASYTRIEVE.  Easytrieve  is  written  in  free  form  by 
selection  from  a  set  of  English  commands.     No  special 
specification  sheets  are  required.     Queries  are  entered  via 
punched  cards.     As  queries  are  read,  an  executable  program 
is  compiled  and  processed.     File  specifications  are  stored 
in  a  "library"  from  which  they  are  available  when  needed. 
Selection  criteria  are  specified  with  "IF"  statements.  Data 
movements  are  specified  and  a  sort  command  is  available.  A 
controls  command  lists  fields  where  breaks  should  occur,  and 
a  list  statement  specifies  report  items  and  their  order. 

7.5.4  EDP-AUDITQR.  There  are  three  pre-printed  parameter 
forms — input  definition,  output  definition,  and  process 
definition,  which  are  translated  into  punched  cards.  These 
parameter  forms  are  fixed  in  format,  and  prompt  the  user 
filling  them  in.     An  extra  cost  terminal-oriented  version 
assists  in  free-form  input.     A  free-form  version  is  also 
available  at  no  additional  cost. 

7.5.5  HEWCAS.   Input  is  specified  by  answering  of  multiple 
choice  questions.     The  system  is  interactive  and 
specifications  are  entered  from  a  terminal   in  a  dialog 
manner . 

7.5.6  MARKIV/AUDITOR.  Files  and  tables,  report  types  and 
formats ,  and  selection  methods  are  defined  by  coding  forms, 
which  are  translated  into  punched  cards.  Prewritten 
routines  are  selected  by  the  parameter  cards,  and  routines 
written  by  the  auditor  can  also  be  used.  In  addition  Mark  IV 
system  routines  are  available.     There  are  11  basic  forms  in 
MARK  IV,  and  about  11  specialized  work  sheets  available  for 
the  specialized  AUDITOR  routines.     Free-form  and  on-line 
query  versions  are  available  at  extra  cost. 

7.5.7  SCORE.  Data  definitions  are  entered   in  COBOL.  They  can 
be  also  entered  from  a  pre-existing  library.  Functions  and 
output  specifications  are  entered  by  filling  out  of  pre- 
printed forms,  which  are  translated  into  punched  cards.  The 
system  is  designed  to  operate  in  a  batch  mode;  The  vendor 
offers  a  user-written  interactive  prompting  system 
(currently  designed  to  run  under  IBM's  TSO) ,  but  does  not 
presently  support  it. 
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7.6     Computer  Environment 

The  auditing  software  package  may  produce  a  program 
capable  of  running  on  a  computer  different  from  the  one  on 
which  the  initial  parameters  were  specified.  The  computer  on 
which  the  initial  parameters  were  specified  is  called  the 
source  computer.  The  computer  on  which  the  auditing  software 
executes  the  audit  functions  and  derives  audit  data  is 
called  the  object  computer.  The  source  computer  could  be  a 
computer  at  the  auditor's  location,  while  the  target 
computer  may  be  a    machine  at  the  client's  site.     The  source 
computer  and  the  object  computer  could  also  be  the  same 
computer . 

7.6.1  AUDITAPE.  Three  systems  are  available  for  IBM  360  and 
370  series  computers.     DOS  release  5.3  contains  the 
manufacturer's  operating  system.     OS  and  DOS/VS  use  the 
installation  operating  system  and  can  be  run  in  a  multi 
programming  environment.     The  OS  Auditape  does  not  include 
the  operating  system  and  can  only  be  used  by  installations 
having  the  full  IBM  OS  system.  It  can  be  run  in  a  multi- 
programming environment.  The  IBM  1400  and  Honeywell  200 
Auditapes  also  contain  their  own  operating  systems,  and 
require  dedicated  computer  operation.  For  dedicated  use  at 
least  32  K  bytes  of  storage  are  required.     OS  requires  80  K 
and  DOS/VS  requires  64  K  of  core  partition.     For  IBM  1400 
and  Honeywell  200  machines  at  least  8K  characters  of  storage 
are  required. 

7.6.2  DYL  260.  Source  and  Object  computers  are  the  same:  IBM 
360  and  370  with  minimum  65K  bytes  of  core  storage. 
Supported  under  most  current  versions  of  OS  and  DOS 
operating  system  software,   including  VS  options. 

7.6.3  EASYTRIEVE.  Runs  on  all  IBM  360  and  370  and  UNIVAC 
Series  70  machines. 

7.6.4  EDP-AUDITOR.  Runs  on  IBM  360  and  370  under  DOS, OS,  and 
VS  operating  systems.  For  DOS  54K  bytes  is  the  minimum  core 
and  for  OS  80K  bytes  of  core.  Also  runs  on  UiSlIVAC  series  70 
DOS,TDOS,  and  VMOS  with  70-80K  bytes  of  core. 

7.6.5  HEWCAS.  UNIVAC  1108  source  computer,  operating  under 
INFONET  CSTS.  Minimum  of  100  K  bytes  of  core  is  required. 
Mass  storage  device  -  disk  needed  to  store  program, card 
punch  needed  to  prepare  output  deck.     Object  computers  are 
IBM  360  or   370    ,CDC,   BURROUGHS    ,   and  HONEYWELL  machines, 
with  COBOL  compilers. 
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7.6.6  MARK  IV/AUDITQR,  Different  versions  have  been  designed 
for  a  variety  of  machine  configurations  including  IBM  360 
and  37b,  UNIVAC  Series  70  TDOS ,  UNIVAC  9400  or  9480  DOS,  and 
UNIVAC  Series  90  OS/4  systems,  and  SIEMENS  4004  PBS  systems. 
In  the  system  360/370  environment  the  system  operates  under 
DOS,  DOS/VS,  OS,  OS/VSl  and  0S/VS2.     There  are  six  major 
versions  available.     The  basic  Mark  IV  package  requires  36K 
bytes  of  core.     Most  applications  require  between  80  and  120 
K  bytes  of  core.     On-line  operation  under  IBM  TSO  is  also 
available.     MARK  IV  has  optional   interfaces  for  update  and 
retrieval  from  TOTAL,  DOS/VS,  DL/1 ,  or  IMS  data  bases. 

7.6.7  SCORE.  SCORE  operates  on  many  computers  and  a  variety 
of  operating  systems:   IBM  OS    (88K)    ,  DOS    (52K)    ;  BURROUGHS 
4700  and  6700/7700    (8K  words);   CDC  6000    (50K  words),  UNIVAC 
9000/9400    (50K)  ,   UNIVAC  1108/1110    (27K  words)  ,  HONEYWELL 
2000/6000,  RCA-Spectra,  and  NCR  Century.  All  systems  require 
COBOL  compilers. 
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8.      INPUT  CHARACTERISTICS 


General  purpose  audit  packages  must  accommodate  a 

variety  of  file  characteristics  and  data  types  which  exist 

in  various  client's  files.  Characteristics  which  can  be 
handled  by  the  various  systems  are  listed  below. 


8,1     Data  Types 

A  variety  of  data  types     that  exist  in  various  client's 
files  must  be  accommodated  by  general  purpose  audit 
packages.  These  data  types  are    machine  representations,  but 
are  dealt  with  by  the  auditing  software  in  a  logical  way. 
Examples  of  data  types  which  the  vendors  are  supporting  are 
numeric,  numeric  signed,  alphanumeric,  decimal,  binary, 
floating  point  etc, 

8.1.1  AUDITAPE,  Character,   zoned ( unpacked )   decimal,  packed 
decimal,  or  binary  data  formats  are  accepted  by  the  IBM  OS, 
DOS  and  DOS/VS  routines.  Other  routines  accept  IBM  or 
HONEYWELL  tape  codes, 

8.1.2  DYL  260,   Zoned  decimal,  packed  decimal, 
binary, character . 

8.1.3  EASYTRIEVE.  Binary,  alphabetic,   zoned  numeric,  packed 
decimal  data  can  be  defined  in  input. 

8.1.4  EDP-AUDITOR,  Alphanumeric,  binary,  decimal,  packed 
decimal,  unsigned  packed  decimal,  and  bit. 

8.1.5  HEWCAS.  Numeric  -  signed , unsigned   ,  display, 
computational,  decimal,  fixed  length  alphanumer ic , i . e ,  COBOL 
data  types, 

8.1.6  HARK  IV/AUDITOR,  The  various  versions  are  designed  to 
handle  access  methods,  data  representations,  and  conversions 
automatically,  transparent  to  the  auditor. 

8.1.7  SCORE,  All  data  types  acceptable  to  COBOL  can  be 
processed , 
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8.2     Input  File  Characteristics 

A  variety  of  files  and  file  types  are  typically 
accessible.     These  files  may  be  sequential,  index 
sequential,  or  their  organization  may  depend  on  a  particular 
data  base  system.     Record  types  may  be  of  fixed  length  or  of 
variable  length.  Records  may  be  grouped  in  blocks  or  they 
may  be  unblocked.  Files  may  have  ANSI  standard  labels, 
industry  standard  labels,  non-standard  labels  or  no  labels. 
A  system  may  have  to  recognize  various  file  marks  such  as 
"end  of  reel",   "end  of  file",  or   "end  of  volume".     In  some 
applications,   the  auditor  must  specify  detail   in  the 
client's  files  which  is  to  be  processed  by  the  audit  system. 
The  files  may  be  either  processed  directly,   in  which  case 
complete  specifications  for  all  format  detail  must  be  stored 
in  the  object  computer,  or  an  intermediate  file  may  be 
prepared,  which  is  in  a  standardized  format. 

8.2.1  AUDITAPE.  All  punched  card  and  fixed  length  magnetic 
tape  records  and  many  types  of  variable-length  magnetic  tape 
records  can  be  processed.     For  IBM  systems  six  different 
types  of  variable-length  records  can  be  processed.  DOS/VS 
and  OS  systems  can  also  accept  disk  files  in  sequential 
ISAi*4,  and  undefined  formats.     For  Honeywell  systems  two 
types  of  variable-length  records  can  be  processed . (Banner ed 
and  unbannered  records).     An  intermediate  "Auditape"  is 
always  produced  which  is  used  as  input  to  other  routines, 

8.2.2  DYL  260 .  Almost  any  IBM  format  can  be  handled:  fixed 
and  variable  length,  blocked,   unblocked,  sequential,  indexed 
sequential  files.     Also  accommodated  can  be  Honeywell  and 
Univac  formats. 

8.2.3  EASYTRIEVE.  Fixed  and  variable  length,  blocked  and 
unblocked  records,  sequential  or   indexed  sequential  records 
or   input  stream  of  cards  or  of  card  image  records  can  be 
handled.     Almost  all  IBM  formats  can  be  handled. 

8.2.4  EDP-AUDITOR.  Just  about  any  type  of  file  can  be 
handled--sequen t ial ,   index  sequential,  random,  and  data  base 
(DL  1 ,DATACOM/DB, IMS ,RDMS , TOTAL,   and   IDMS).   The  record 
formats  supported  are  fixed,  variable,  and  undefined.  Label 
support  is  for  standard,  omitted,  and  user  labels.  Any  block 
size  compatible  with  the  computer  system  can  be  used. 

8.2.5  HEWCAS.  Sequential,   indexed  sequential,  random  files 
can  be  handled.     Fixed  length,  variable  length  record  types. 
Any  block  size  compatible  with  COBOL.  COBOL  standard  labels 
or  no  labels  can  be  handled. 
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8»2.6  Mark  IV/AUDITOR»  Different  versions  accommodate 
formats  and  file  characteristics  of  different  manufacturers. 
All  data  set  organization  can  be  utilized:  sequential, 
indexed  sequential,  fixed  length,  variable  length,  and 
undefined  data  bases. 

8.2.7  SCORE.  Any  type  of  file  structure  that  can  be  accessed 
through  COBOL  can  be  handled  by  SCORE.    (Sequential,  indexed 
sequential,  random,  and  all  data  bases.) 


8,3    Media  Characteristics 

There  exist  a  variety  of  media  on  which  information  can 
be  recorded.     This  section  summarizes  media  which  can  be 
handled  by  the  various  systems.     Most  systems  provide 
flexibility  for  accepting  files  on  cards,  tapes,  or  disks. 
Similarly  output  can  be  provided  on  cards,  tapes,  or  disks. 
Variations  of  media  codes,  such  as  tape  codes  of  various 
manufacturers  usually  are  handled  by  different  versions  of 
software  packages. 

8.3.1  AUDITAPE.  Initial  input  records  may  be  in  punched  card 
or  magnetic  tape  form  for  the  IBM  1400  and  Honeywell  200 
edit  routine.  The  IBM  DOS,TOS,  and  OS  routines  accept  card, 
tape  and  disk  inputs. 

8.3.2  DYL  260.  I/O  devices  supported  include  IBM  2311,  2314, 
3330,  and  3340  disk  drives,  plus  the  usual  unit  record 

per  ipher al s . 

8.3.3  EASYTRIEVE.   Punched  card,  tape,  or  disk  input  are 
accepted . 

8.3.4  EPF-AUDITOR.  Tapes,  punched  cards,  and  IBM 
2311,2314,3330,   3340,  3350  disk  drives  are  supported. 

8.3.5  HEWCAS.  The  system  supports  cards,   tapes,  and  disks. 

8.3.6  MARK  IV/AUDITOR.  The  various  versions  support  card, 
tape  and  disk  input. 

8.3.7  SCORE.  The  system  handles  whatever  the  host  COBOL  and 
operating  system  can  handle;  generally  this  includes  all 
device/media  combinations  available  on  the  object  computer. 
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9.      BASIC  FUNCTIONS  AND  UTILITIES 


This  section  furnishes  an  overview  of  some  basic  data 
processing  f unctions , which  permit  the  auditor  to  analyze 
client  files,  and  to  display  client  data  in  a  form  suitable 
for  analysis  by  the  auditor. 

9.1  Copying 

Although  there  usually  are  utility  programs  available 
at  the  clients  site,  some  generalized  audit  packages  provide 
for     file  copying  capabilities.  Detail  on  systems  analyzed 
are  given  below.     In  some  cases  the  copying  function 
includes  a  selection  capability. 

9.1.1  AUDITAPE.  All   input  file  records  can  be  translated 
into  the  standard  Auditape  format  by  means  of  the  different 
input  edit  routines.     No  explicit  copy  routine  is  available. 

9.1.2  DYL  260 .  Easily  specified  with  a  few  parameters; 
provides  control  tables  and  options  for  diagnosing  bad 
records  or  for  reformatting. 

9.1.3  EASYTRIEVE.  Copy  capability  is  available  for  file 
maintenance . 

9.1.4  EDP-AUDITQR.  Can  take  in  any  input  file  format  and 
produce  whatever  output  format  file  is  desired,   i.e.   it  can 
copy  a  file  or  only  selected  portions  of  a  file. 

9.1.5  HEWCAS.  HEWCAS  can  take  any  type  of  input  file  and 
select  all   the  records  producing  a  disk  or  tape  output  file. 

9.1.6  MARK  IV/AUDITQR.  No  special  provisions  for  copying 
available  as  part  of  the  Auditor  routines.  Copying  routines 
are  available  as  part  of  the  Mark  IV  capabilities. 

9_^1 . 7  SCORE.  Records  may  be  copied  onto  an  output  file  from 
multiple  input  files,  with  records  selected  on  logical 
comparisons  and  on  whether  or  not  the  primary  and  secondary 
input  files  are  matched.  Up  to  99  output  files  may  be 
created  from  one  pass  of  the  input  files  with  the  optional 
MULTIPLE  REPORT  feature. 
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9.2  Sorting 

Sorting  refers  to  the  arranging  of  a  set  of  records  in 
a  specified  order,  according  to  sort  keys.  The  order  may  be 
an  alphabetic  or  numeric  sequence.  Ascending  or  descending 
sequences  may  be  required.     Several  sort  keys  may  be 
specified   in  some  systems  for  one  pass  operation.     In  some 
system  sorting  is  combined  with  other   input,  processing  or 
output  functions  to  speed  up  or  to  simplify  the  auditor's 
task. 

9.2.1  AUDITAPE.  Sort  routines  are  available  for  IBM  360  and 
370  DOS,TOS  and  OS  systems.  Several  Auditape  routines 
require  input  Auditape  files  to  be  in  sequence  based  upon 
specified  control  fields.  The  sort  routine  or  sort  program 
arranges  the  Auditape  file  into  sequence  by  the  fields 
specified. 

9.2.2  DYL  260.  Has  its  own  sort  module,  to  sort  during 
input,  selection,  or  prior  to  printing  or  writing  output 
file. 

9.2.3  EASYTRIEVE.  Sorting  and  calculations  can  be  done  in 
one  step.  Up  to  ten  fields  can  be  sorted  in  ascending  or 
descending  order. 

9.2.4  EDP-AUDITQR.  Has  capability  to  sort  with  up  to  20  sort 
key  fields  in  any  one  report.     Each  sort  field  can  be 
specified  as  ascending  or  descending.     Sorting  may  also  be 
performed  on  calculated  values. 

9.2.5  HEWCAS.  Has  no  internal  sort  capability. 

9.2.6  MARK  IV/AUDITOR.  Sorting  sequence  of  reports  can  be 
spec  if  ied   independent  of  the  sequence  of  the  input  file,  as 
part  of  the  report  specification. 

9.2.7  SCORE.  Uses  COBOL  sort  capability   (SORT  verb).  The 
user  specifies  the  sorting  sequence  desired,  either 
Ascending  or  Descending  for  every  item  to  be  sorted.  The 
sort  limitation  is  identical  to  that  of  the  operating 
system . 


9.3     Multiple  File  Input 

Ability  to  handle  multiple  files  simultaneously  on 
input  improves  flexibility  of  the  package.  This  is  useful 
for  the  comparison  of  files,   for  merging  and  matching 
operations.     This  capability  requires  the  appropriate  number 
of  input  equipments  needed  for  simultaneous  operation. 
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9.3.1  AUDITAPE,  Two  tapes  can  be  handled  simultaneously  on 
input . 

9.3.2  DYL  260.  Four  input  and  four  output  files  can  be 
handled  simultaneously. 

9.3.3  EASYTRIEVE.  Up  to  two  input  files  can  be  handled 
simul taneously . 

9.3.4  EDP-AUDITQR.  Up  to  256  input  files  can  be  handled  at 
one  time. 

9.3.5  HEWCAS .  Two  input  files  can  be  handled  simultaneously. 

9.3.6  MARK  IV/AUDITQR.   Information  from  up  to  eleven  input 
files  may  be  combined.     This  capability  is  available  for  use 
with  any  AUDITOR  routine. 

9.3.7  SCORE.  Can  handle  a  total  of  eight  files,  of  which 
from  one  to  six  can  be  input  or  output  depending  on  the 
user's  need.     With  the  MULTIPLE  REPORT  feature  the  system 
can  generate  more  than  200  output  files. 


9.4  Merging 

This  refers  to  the  combining  of  records  of  two  or  more 
files,   that  are  each  in  the  same  sort  order,   into  one  file, 
in  that  order.     Merging   is  useful  for  making  files  more 
understandable  to  the  auditor  e.g.  a  vendor  name  file  may  be 
merged  with  a  sales  file  to  provide  vendor  names  rather  than 
vendor  codes  to  the  auditor. 

9.4.1  AUDITAPE.  A  Match/Merge  routine  compares  two  separate 
files  of  Auditape  records  on  as  many  as  five  control  fields 
and  writes  an  output  file  of  records  that  match  as  to  the 
control  fields  specified.     The  output  file  may  contain 
records  from  either   input  file  or  from  both  input  files,  as 
specified. 

9.4.2  DYL  260.  Provided  as  specified  by  input  parameters  up 
to  a  4  way  merge. 

9.4.3  EASYTRIEVE.  Two  files  may  be  merged  by  keys. 

9^.4.4  EDP-AUDITOR.  Merging   is  automatically  accomplished 
with  the  file  matching  facility.  Up  to  4  different  file 
match  keys  may  be  specified. 
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9  ♦4. 5  HEVvCAS,  No  merge  capability  available. 


9.4.6  MARK  IV/AUDITOR.  Up  to  eleven  input  files  may  be 
automatically  combined  by  MARK  IV/AUDITOR  either 
sequentially  or  directly. 

9.4.7  SCORE.  Records  can  be  selected  from  several  files  by 
means  of  boolean  log ic , " f ir s t-n  records"  criteria,  etc,  and 
the  results  can  be  merged  onto  a  new  file.     No  "built-in" 
merge  parameter  available,  however. 


9,5     File  Validation 

File  validation  refers  to  the  checking  of  data  for 
correctness,  or  compliance  with  applicable  standards,  rules 
and  conventions.  Copies  of  files  can  be  validated  through 
bit-by-bit  comparison  with  a  master  file.  Discrepancies  can 
be  indicated  and  system  reaction  can  be  programmed. 

9.5.1  AUDI TAPE.  The  Match/Merge  routine  can  be  used  for  file 
validation.     It  can  also  check  for  duplicate  records  within 
the  same  file(  control  field  data  is  equal).  These  duplicate 
records  may  be  accepted  or  rejected  for  further  processing 
and  optional  listing  on  the  printer.     Outputs  also  include 
record  counts,  net  totals  of  quantitative  data  in  fields  7  - 
12,  and  positive  and  negative  totals  of  quantitative  data  in 
field  9. 

9.5.2  DYL  260.  Provided  as  specified  by  input  parameters. 
Input  can  be  matched  against  3  other  files. 

9.5.3  EASYTRIEVE.   Input  files  can  be  matched,   two  at  a  time. 
If  a  data  exception  occurs,   the  error  field  is  printed, 
along  with  the  contents  of  all  working  storage  fields. 

9.5.4  EDP-AUDITOR.  There  are  library  routines  for  file 
footing  allowing  the  user  to  determine  if  the  appropriate 
number  of  records  are  present  and  if  the  data  in  those 
records  are  what  is  expected.  In  addition,  a  data  exception 
analysis  routine  is  available,  where  for  example  data 
defined  as  numeric,  but  actually  alpha  numeric,  are  flagged 
and  dumped.  When  30  data  exceptions  are  encountered,  the 
processing  ceases.     Fields  and  records  containing  data 
exceptions  are  displayed, 

9.5.5  HEWCAS .  Prints  number  of  input  records  where  a  data 
field  defined  as  numeric  contains  non-numeric  data.  Prints 
records  where  fields  are  defined  as  numeric  but  contain 
non-numeric  data.     Stops  processing  after  100  invalid 
records.     Prints  number  of  blocks  with  input/output  errors 
(terminates  after  200  errors).     Finds  duplicate  fields  in 
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one  file  and  lists  records.  Finds  duplicate  fields  in  two 
files  and  lists  records.  Record  layouts  on  the  two  files  may 
be  diff erent , except  for  matching  fields. 

9.5.6  MARK  IV/AUDITQR.  The  system  checks  automatically  for 
arithmetic  overflow,   invalid  oper at ions ( f or  instance, 
division  by  zero),  and  invalid  data.  Erroneous  reports  are 
highlighted  without  affecting  any  other  reports,  selection, 
or  calculations  in  the  run.  Any  numeric  field  can  be 
examined  to  determine  missing  numbers,  or  to  detect  numbers 
appearing   in  more  than  one  record  on  a  file. 


9.5.7  SCORE.  No  special  file  validation  routine  is  provided, 
other  than  normal  COBOL  I/O  diagnostics.     Can  match  up  to 
five  data  items  per  file  in  two  files,  to  permit  processing 
the  two  in  parallel.     Can  not  check  for  duplicates  in  one 
file,  except  through  user's  own  code. 

9.6     File  Matching 

Matching  of  files  permits  the  determinatiom  of  identity 
of  records  or  files.  Duplicate  records  can  be  identified  in 
one  file,  or  by  comparison  of  two  files. 

9.6.1  AUDITAPE.  The  Match/Merge  routine  compares  two 
separate  files  of  Auditape  records  on  as  many  as  five 
control  fields  and  writes  an  output  file  of  records  that 
match  as  to  the  control  fields  specified.  The  output  file 
may  contain  records  from  either   input  file  or  from  both 
input  files,  as  specified.     Also  duplicate  records  may  be 
listed  as  cited  above  in  9.5.1. 

9.6.2  DYL  z60 .   Provided  as  programmed  by  input  parameters. 

9.6.3  EASYTRIEVE.  Two  input  files  may  be  matched  by  keys  and 
merged   m  one  step  operation. 

9.6.4  EDP-AUDITOR.  Up  to  256  input  files  can  be  matched  and 
their  information  consolidated  into  one  file. 

9.6.5  HEwCAS.  Duplicate  fields  can  be  found  in  one  file,  and 
the  records  are  listed.     Duplicate  fields  can  be  found  in 
two  files,  and  the  duplicate  records  can  be  listed.  Record 
layouts  on  the  two  files  may  be  different,  except  for  the 
matching  fields. 

9.6.6  MARK  IV/AUDITOR.  Two  or  more  files  representing 
similar  data  can  be  compared  for  exceptions. 
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9.6.7  SCORE,  Matching   is  handled  with  a  simple  MATCH 
parameter.     Matched  records  can  be  combined  for  printout, 
merging  onto  a  new  file,  etc. 
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10.      NUMERICAL  AND  LOGICAL  OPERATIONS 


Auditing  software  provides  assistance  to  the  auditor  in 
the  evidence  gathering  process.  The  auditor  collects  data 
from  client's  files,  and  puts  these  data  in  a  form  which 
permits  analysis  and  auditing.     Both  during  the  collection 
process  and  during  the  analysis  of  the  data  numeric  and 
logical  processes  are  used  to  combine  fields,   to  compare 
fields,  and  to  summarize  and  select  data.  Arithmetic 
operations  such  as  addition,  subtraction,  multiplication  and 
division  are  available.  Other  capabilities  are  the  counting 
of  records,   simple  computation  of  percentages,  and 
computation  of  standard  deviations. Relational  operations 
permit  comparison  of  magnitudes  of  numeric  fields  on  the 
basis  of  operators  such  as  equal  to,  not  equal  to,  greater 
than  or  less  than  and  combinations  of  these.  Logical 
capabilities  include  AND,  OR,  and  NOT    operations,  and  a 
conditional  operation  similar  to  IF...  THEN. 

10.1     Arithmetic  Operations 

Arithmetic  operations  such  as  addition,  subtraction, 
multiplication  and  division  are  available .Other  needed 
capabilities  are  the  counting  of  records,   simple  computation 
of  percentages,  and  computation  of  standard  deviations. 

10.1.1  AUDITAPE.  A  mathematical  routine  is  provided,  that 
performs  addition,   subtraction,  multiplication  or  division 
of  amounts  in  any  two  quantitative  fields  of  an  Auditape 
record,  or  of  an  amount  in  one  field  and  a  specified 
constant.     The  routine  can  perform  10  separate  computations 
in  each  pass.     For  both  input  files  and  output  files  record 
counts,  net  totals  and  totals  of  positive  and  negative  data 
are  printed  for  some  fields.     The  result  of  any  computation 
can  be  used  as  an  operand   in  a  subsequent  computation  within 
the  same  pass. 

lei .  1 . 2  DYL  260  .  Data  in  zoned  decimal,  packed  or  binary 
format  can  be  added  to,   subtracted  from,  multiplied  by,  or 
divided  by  data  of  the  same  or  of  different  format. 
Totalling  and  control  breaks  are  automatic. 

li<:i.l.3  EASYTRIEVE.  Totals  can  be  calculated  automatically  on 
control  break.     A  variety  of  numerical  calculations  can  be 
specified  by  the  user,   such  as  percent  of  total,  average, 
addition,   subtraction.  Calculations  can  be  made  in 
conjunction  with  merging  and  sorting   in  one  step.  All 
formats  can  be  used  together,  and  decimal  alignment  is  done 
automatically. 
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1U,1,4  EDP-AUDITQR.  Any  numeric  field  can  be  totaled.  There 
can  be  20   (standard)    to  60    (optional)   levels  of  totaling, 
with  no  system  limits  on  the  number  of  fields  in  any  one 
level.     Arithmetic  capabilities  present  are  addition, 
subtraction,  multiplication,  and  division.  There  are  library 
routines  for  statistical  analysis.  Temporary  variables  can 
be  defined,   tested,  and  printed. 

10.1.5  HEWCAS.  Totals  can  be  reported  on  any  numeric  field. 
Totals  can  be  reported  by  strata  levels.     No  other  explicit 
arithmetic  functions  are  available. No  temporary  variables 
for  testing  are  available. 

10.1.6  MARK  IV/AUDITOR.  Addition,  subtraction, 
multiplication,  division  and  replacement  may  be  applied  to 
data  fields  or  constant  values.     Conversions  from  one  data 
type  to  another  are  handled  automatically.     Calculations  may 
be  specified  on  the  calculations  work  sheet,  on  the 
selection  work  sheet  or  the  information  request  work  sheet 
and  resultant  values  may  be  used  for  record  selection, 
further  processing,  or  reporting. 

10.1.7  SCORE.  Any  COBOL  computational  capability  can  be 
specified,   including  addition,  subtraction,  division, 
multiplication,  and  exponentiation.     Up  to  nine  temporary 
variables  are  available  automatically;   an  unlimited  number 
may  be  submitted  through  user  own  code.     Up  to  120  totals 
may  be  specified  automatically;  an  unlimited  number  may  be 
specified  with  the  optional  MULTIPLE  REPORT  feature. 


10.2     Relational  Operations 

Relational  operations  permit  comparison  of  magnitudes 
of  numeric  fields  on  the  basis  of  operators  such  as  equal 
to,  not  equal  to,  greater  than  or  less  than  and  combinations 
of  these. 

10.2.1  AUDITAPE.  The  Include/Exclude  and  Subtotal  routines 
provide  for  three  types  of  comparisons  of  input  records  and 
specified  codes:  Greater  than,  equal  to,  and  less  than.  For 
nonquan t itative  data  comparison  is  based  on  the  IBM 
collating  sequence.     The  printed  output  will   include  for 
each  output  file  record  counts,  net  numeric  totals,  and 
totals  of  both  positive  and  negative  numbers  for  one  field. 
Records  meeting  or  not  meeting  the  comparison  criteria  may 
be  specified  for  output.   If  subtotal  routine  is  specified 
subtotals  for  each  specified  code,  record  counts  will  be 
printed  out.     Four  routines  provide  for  subtotals, 
inclusion,   inclusion  and  subtotals,  and  exclusion  of 
records. 
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10.2.2  DYL  260,  Tests  include  "equal  to",   "less  than", 
"greater  than",   "less  than  or  equal  to",   "greater  than  or 
equal   to" . 

10.2.3  EASYTRIEVE.  A  complete  set  of  relational  operators 
(such  as  greater  than,  less  than)    are  available  in 
connection  with  the  IF  statement. 

10.2.4  EDP-AUDITOR.  Comparisons  can  be  made  on  numeric  and 
nonnumeric  fields  for  equality,   inequality,  greater  than  or 
less  than  relationships. 

10.2.5  HEi>»CAS.  Comparisons  are  made  for  equality  and  range 
(low  and  high  limits) . 

lu.2.6  HARK  IV/AUDITOR.  Tests  include  greater  than,  less 
than,  equal  to,  not  equal  to,  and  less  or  equal  and  greater 
tnan  or  equal.  The  data  in  the  specified  field  may  be 
compared  to  a  field  from  the  file,  a  character  constant,  or 
a  decimal  constant.     Data  in  the  specified  field  may  also  be 
compared  to  any  temporary  field. 

10.2.7  SCORE.  Has  COBOL  capability,  which  generally 
includes:    E<^UAL,   NOT  EQUAL,   GREATER/LESS  THAN,  GREATER/LESS 
THAN  OR  EQUAL  TO,   test  for  numeric  field,   test  for  alpha 
field. 


10.3     Logical  Operations. 

Logical  capabilities  include  and,  or,  and  not 
operations,  and  a  conditional  operation  similar  to  IF... 
THEN. 

10.3.1  AUDITAPE.  The  Match/Merge  routine  provides  for 
printing  of  records  that  do  or  do  not  have  a  matching 
primary  or  secondary  record.    (The  input  files  are  designated 
as  primary  and  secondary  files  ).     The  expanded  edit  routine 
in  the  OS  and  DOS/VS  systems  contains  capabilities  for 
equal,  greater  than,  and  less  than  comparisons  with 
true/false  action  paths. 

10.3.2  DYL  260.  Logical  operations  are  not  explicitly 
proviGea,but  implicitly  programmed  through  entry  of 
parameter  values  and  sequence  of  actions.     Complete  AND/OR 
logic  and  IF/THEN/ELSE  logic  permit  formulation  of  complex 
requests. 
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10.3.3  EASYTRIEVE,  AND/OR  logic  and  IF/THEN/ELSE  logic  are 
available.     Within  each  logical  operation  arithmetic 
calculations,  data  movements,  tests,  table  lookups,  and 
output  operations  can  be  performed. 

10.3.4  EDP-AUDITQR.  The  logical  operators  AND,  OR,  NOT  IF- 
THEN-ELSE  are  not  explicitly  used,  however,   these  functions 
are  implicitly  available  in  the  EDP-AUDITOR  language  via  the 
placement  of  the  conditional  expressions. 

10.3.5  HEWCAS.  In  the  selection  criteria  the  implicit  AND 
operator  is  available. 

10.3.6  MARK  IV/AUDITOR.  AND  and  OR  connectors  may  be 
specified  during  record  selection.  More  complex  logic  may  be 
specified  by  means  of  level  specification.     Records  NOT  to 
be  selected  may  be  identified  during  the  selection 
specification . 

10.3.7  SCORE.  Logical  operations  include  IF,  nested  IF, 
ELSE,  NOT,  AND,  OR,  plus  all  Other  operations  supported  by 
COBOL.     Match  routines  provide  for  printing  of  records  that 
do  or  do  not  have  a  matching  primary  or  secondary  record. 
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11.  CLASSIFICATION 


Under  this  heading  are  grouped  several  functions  which 
permit  assignment  of  records  into  a  set  of  predetermined 
classes.     The  two  most  common  ways  are  stratification  and 
aging.     Classification  permits  the  auditor  to  separate 
records  or   information  into  sets  which  then  can  be  examined 
according  to  different  criteria.     It  may  be  required  to 
examine  all  disbursements  above  a  certain  dollar  amount,  but 
to  only  sample  those  below  that  amount. 

11.1  Stratification 

Stratification  is  defined  here  as  the  separation  of 
records  into  sets  of  classes.     Stratification  may  be  based 
on  dollar  amounts,  or  dollar  ranges,   in  which  case  these 
ranges  must    be  specified  by  the  auditor.  Often  the  system 
provides  a  set  of  ranges  as  a  default  capability. 
Stratification  may  also  be  based  on  account  classifications, 
or  other  criteria. 

11.1.1  AUDI TAPE.  The  subtotal  option  in  the  Include/Exclude 
routine  provides  stratification  as  a  result.  Control  totals 
of  the  number  and  monetary  amount  of  items  in  the  population 
and   in  the  sample  are  printed  out.     These  totals  are 
classified   into  two  or  three  strata,   top  and  bottom,  or  top, 
middle,  and  bottom  strata  as  specified. 

11.1.2  DYL  260 .  Stratification  can  be  implicitly  programmed 
through  entry  of  parameter  values  and  a  sequence  of  actions. 

11.1.3  EASYTRIEVE.  Stratification  can  be  specified  including 
record  count,  money  amounts,  percentage  and  average 
calculations . 

11.1.4  EDP-AUDITOR.  There  are  pre-written  stratification 
routines  called  Stratified  Random  Selections  which  perform 
automatic  stratification  into  6  strata.  The  user  can  specify 
the  ranges.   If  more  strata  are  required,   the  user  has  the 
capability  to  specify  any  number  of  strata  in  the  EDP- 
AUDITOR  language. 

11.1.5  HEVmCAS.  Selection  and  stratification  processes  are 
combined  in  HEwCAS.  Maximum  number  of  strata  that  can  be 
specified  is  30  (option  1),  and  9kJ    (suboption  2). 

11.1.6  MARK  IV/AUDITOR.   Records  may  be  automatically 
stratified,  based  on  ranges  of  values.     Up  to  20  different 
strata  may  be  specified  in  a  "stratification  table",  and 
three  stratification  tables  can  be  used.  Each  stratum  is 
assigned  a  group  code,  which  then  may  be  used  for  record 
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selection,  reporting,  control  breaks,  sorting,  and 
conditional  calculations  or  other  processing. 

11 .1.7  SCORE.  No  special  provision  is  made  for 
stratification.     The  user  can  specify  stratification  by 
first  sorting,   then  specifying  a  control  break  for  each 
interval  desired. 


11.2  Aging 

Aging  refers  to  the  placing  of  records  into  ranges 
based  on  time  based  criteria.  As  an  example  all  records  may 
be  classified  into  those  from  0  to  3  months  old,  3  to  6 
months  old,  and  older  than  6  months. 

11.2.1  AUDITAPE.  Aging  may  be  performed  by  use  of  the 
subtotal  option  in  the  Include/Exclude  routine. 

11.2.2  DYL  260.   Provided  as  programmed  by  input  parameters. 

11.2.3  EASYTRIEVE.  Aged  analysis  reports  can  be  prepared. 

11.2.4  EDP-AUDITQR.  There  are  library  routines  in  the 
summary  analysis  which  perform  an  aging  summary 
automatically . 

11.2.5  HEWCAS .  No  provision  for  aging. 

11.2.6  MARK  IV/AUDITQR.  An  aging  worksheet  provides  for  five 
types  of  date  format,  and  four   types  of  aging  analysis. 
Columnar  aging  provides  detail  within  each  account  number. 
Summary  aging  provides  aged  summaries  for  each  account 
number,   i.e.  one  line  per  account  number.     In  category  aging 
each  detail  record  within  each  age  group  is  shown  or  the 
report  may  show  eacn  detail  record  within  each  age  group 
within  each  account  number. 

11.2.7  SCORE.  No  special  provision  for  aging   is  offered. 
The  user  can  specify  aging  by  first  sorting  the  file,  then 
specifying  a  control  break  for  each  interval  desired. 
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12.  SELECTION 


The  auditor  selects  those  records  from  client  files, 
which  are  of  special   interest  to  him.  Selection  may  be  based 
on  record  attributes,   such  as  account  number,  vendor  number, 
plant  location  etc.,  or   it  may  be  based  on  dollar  range  or 
account  ranges,  as  defined  during  the  classification 
process.     Selection  may  also  occur  by    means  of  sampling. 
Sampling  may  be  done  on  a  periodic  basis,   i.e.  every  tenth 
record  may  be  selected,  or   it  may  be  done  on  a  random  basis. 
Selection  criteria  may  be  combined  by  means  of  logical  or 
relational  operators.  Selection  may  also  occur  on  a 
temporary  variable(a  field  produced  as  a  result  of  an 
arithmetic  calculation  ). 

12.1.1  AUDITAPE.  The  Estimation  Sample  Design,  Selection  and 
Evaluation  routines  will  design,  select,  and  evaluate  a 
sample  as  a  stratified  regression  estimate  on  a  separate  or 
combined  basis.     Mean,  ration,  and  unstratified  estimates 
may  also  be  obtained  as  special  cases  of  a  regression 
estimate . 

j^2.1.2  DYL  260  .  Fields  may  be  tested  with  complex  selection 
logic  set  by  parameter  values  and  sequences.  Random 
sampling  requires  exit  to  a  special  routine  for  random 
number  s . 

12.1.3  EASYTRIEVE.  Selection  of  records  is  made  with  the  IF 
statement  and  a  listing  of  logical  and/or  statements.  Also 
many  special  tests  can  be  made  to  select  records  that  are 
blank,  alphabetic,  numeric,  negative,  hexadecimal,  changed 
since  "last  record   in",   sorted  etc. 

12.1.4  EDP-AUDITQR.   In  addition  to  the  standard  selection 
capability  of  testing  for  equality,   inequality,  greater 
than,  and  less  than  relationships,   there  is  a  library  of 
selection  and  sampling  programs  including  a  random  number 
table,   simple  random  selection,   stratified  random  selection, 
and  6  different  statistical  sampling  techniques.     The  6 
additional  sampling  techniques  are  discovery,  stop-or-go, 
attributes,  variables  estimation,  numerical,  and 
proportional  sampling.     Selection  can  also  occur  on  a 
temporary  variable. 

12.1.5  HEWCAS.  Interval  sampling  with  random  start  is 
possible.  Other  selection  criteria  are  matching  for 
equality,  and  matching  for  within  range,  high  and  low 
limits.     No  logical  limit  on  number  of  fields  that  can  be 
tested.     Number  of  fields  limited  by  printer  width.  No 
selection  is  possible  on  temporary  variables.  Item 
sampling, and  dollar  unit  sampling  are  available,  both  also 
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with  interval  sampling. 


12.1.6  MARK  IV/ AUDI TOR.  Selection  may  be  based  on  sampling, 
range  selection,  additional  criteria  specified  before  or 
after  sampling,  logical  criteria,  or  "computation .  A  variety 
of  sampling  routines  are  available,  such  as  interval 
sampling,   interval  sampling  with  multiple  random  starts, 
random  sampling,  cumulative  monetary  amount  sampling,  limit 
number  selected,  and  stratified  monetary  sampling.  Records 
not  to  be  selected  may  be  also  specified. 

12.1.7  SCORE.  Complex  record  selection  criteria  may  be 
specified  by  the  user.     No  logical  limit  on  the  number  of 
fields  that  may  be  tested.     Selection  may  be  based  on 
temporary  variables.     Every  n-th  record  read,  or  every  n-th 
record  selected  may  be  processed  through  the  use  of  a 
control  card.     An  optional  RAlSlDOM  NUMBER  GENERATOR  may  be 
used  to  randomly  select  records  for  processing. 
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13.  SUMMARIZATION 


Summarization  refers  to  the  summing  of  numeric  totals, 
or  subtotals,   for   items  with  common  attributes,  such  as 
account  number,  vendor  number  etc.     For  purposes  of  internal 
control   it  is  necessary  to  count  and  report  total  number  of 
records.     Summarization  is  used  by  the  auditor  to 
consolidate  information  of  interest,  which  is  fragm.ented  in 
different  files  and  records. 

13.1.1  AUDITAPE.  For  each  numeric  field  summarized  the 
output  provides  the  number  of  items  summarized,  positive, 
negative,  and  net  totals  before  and  after  summarization. 
Out-of -sequence  records  can  be  identified.  Any  contiguous 
positions  in  the  Auditape  record  may  be  specified  as  control 
field  for  summarization. 

13.1.2  DYL  260 .  All  detail  records  in  a  file  can  be  combined 
based  on  a  key  field  to  produce  a  total  record  for  further 
processing.     Tnere  is  no  limit  on  the  number  of  fields  that 
can  be  totalled  by  appropriate  input  parameters. 

13.1.3  EASYTRIEVE.  Summarization  reports  can  be  specified. 

13.1.4  EDP-AUDITQR.  Any  numeric  field  is  totalled 
automatically.  There  can  be  20   (standard)    to  60  (optional) 
levels  of  totaling    (control  breaks).  Tnere  are  library 
routines  for  file  footing  and  summary  analyses. 

13.1.5  HEVmCAS.  Totalling  is  available  on  any  numeric  field. 
The  number  of  fields  that  can  be  totalled  and  printed  at  one 
time  is  a  function  of  the  printer  width.     No  other 
arithmetic  functions  are  available.  No  temporary  variables 
are  available. 

13.1.6  MARK  IV/AUDITQR.  Summarization  capability  exists  as 
part  of  the  aging  specification  and  the  report 
specification.  Summaries  may  be  produced  on  a  control  break, 
and  up  to  9  levels  of  control  breaks  may  be  specified. 
Additional  processes  may  be  invoked  automatically  such  as 
printing  of  subtitles,  page  eject,  or  cumulative  totaling. 

13.1.7  SCORE.  Any  computation  possible  with  COBOL  may  be 
specified.     Up  to  nine  temporary  variables  are  possible 
automatically;  an  unlimited  number  may  be  submitted  by  the 
user  through  own  code.     Up  to  120  totals  are  possible 
automatically.     An  unlimited  number  of  totals  are  available 
with  the  optional  MULTIPLE  REPORT  feature. 
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14.      DIAGNOSTIC  AND  CONTROL  CAPABILITY 


In  this  section  the  basic  diagnostic  capability  of  the 
software  package  is  discussed.  Certain  controls  need  to  be 
exercised  as  part  of  an  audit  to  assure  integrity,  and  to 
maintain  accuracy  of  the  data.     This  pertains  to  the 
physical  tape,   the  processing  and  the  records  resulting  from 
the  processing. 


14.1.1  AUDITAPE.  Control  totals  and  record  counts  are 
provided  automatically.     Internal  file  labelling   is  used  for 
all  files  created  by  the  Auditape  system.  Some  Auditapes, 
especially  those  used  in  multiprogramming  environments, 
contain  new  features,  which  are  subject  to  change.  To  avoid 
use  of  outdated  tapes,  each  of  these  tapes  will  function 
only  until  a  self-contained  expiration  date  is  reached.  Each 
Auditape  contains  a  unique  control  code  keyed  to  the  control 
number  of  the  Auditape  reel.  This  code  is  printed  on 
printouts  and  with  certain  console  messages.  These  control 
codes  are  maintained  on  a  confidential  basis  and  help  assure 
system  integrity.     On  some  tapes  independent  control 
totaling   is  available  as  an  optional  feature. 

14.1.2  DYL  260  .  Seven  levels  of  control  break  are  available. 
At  the  end  of  a  run  a  complete  set  of  file  counts  and 
diagnostics  are  printed  out.     Diagnostics  are  in  form  of 
error  messages,   indicating  code  errors,   incorrect  data  field 
sizes, discrepancies  between  specified  data  types  and  data 
types  in  records , inval id  character s  , etc . 

14.1.3  EASYTRIEVE.  Nine  levels  of  control  breaks  are 
available.     Record  counts  are  documented  automatically. 

14.1.4  EDP-AUDITOR.   The  EDP-AUDITOR  specifications  are 
checked  for  accuracy,  and  error  diagnostics  are  printed  out 
prior  to  the  extraction  of  input  data. 

14.1.5  HEWCAS.  Because  HEWCAS  prompts  the  user  for  the  input 
specifications,   the  user  can  correct  input  errors 
immediately  without  waiting  for  a  batch  summary  error 

1 isting . 

14.1.6  MARK  IV/AUDITQR.  The  control  break,  statistical,  and 
footing  capability  of  the  reporting  routines  which  may  be 
specified  by  the  auditor,  provide  control  capability. 
Statistics  capability  includes  totals,  subtotals,  averages, 
counts,  cumulative  totals,  maximum  and  minimum  values, 
percent,  and  ratios,  which  may  be  specified  at  any  control 
break.  All  Mark  IV/Auditor  specifications  are  automatically 
validated,  and  error  diagnostic  messages  are  printed. 
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14,1.7  SCORE,  Provides  a  thorough  edit  check  of  SCORE 
parameter  statements.     An  extensive  list  of  error  messages 
describes  any  detected  specification  errors.  SCORE- 
generated  COBOL  code  is  error  free.     User  submitted  COBOL 
errors  are  diagnosed  by  the  COBOL  compiler. 
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15,      REPORT  PREPARATION  CAPABILITY 


For  many  routine  applications  standard  report  formats 
are  practical,  and  require  only  a  minimum  of  specification. 
For  ad-hoc  reports,  or  one-time  applications,  report  formats 
must  however  be  flexible  and  must  be  easy  to  adjust.  Points 
to  be  considered  are  number  and  widths  of  columns  in 
repor ts , number  of  lines,  heading  and  footing  formats. 
Automatic  editing  capability  with  regard  to  dollar  signs, 
commas  and  decimal  points,  zero  suppression , etc .  is 
required.     Functions  which  are  necessary  for  internal 
control  and  maintenance  of  an  audit  trail  are  automatic  line 
numbering,  page  numbering,  record  numbering,   the  counting  of 
records,  and  the  provision  of  control  totals  as  required  by 
the  auditor.     Another  feature  often  provided  is  the  ability 
to  generate  confirmation  notices.  Often  provision  for 
printing  of  mailing  labels  is  also  provided. 

15.1.1  AUDITAPE.  The  Print/Punch  routine  takes  standard 
Auditape  inputs,  and  provides  printed  or  punched  card  output 
or  both.  The  printed  output  includes  listing  of  all  records 
in  input  file,  with  either  one  or  two  printed  lines  per 
record,  depending  on  number  of  fields  specified.     Fields  may 
be  printed  in  any  sequence.  Optional  column  headings  may  be 
specified.  Listings  also  contain  a  record  sequence  number,  a 
random  item  number  for  selection  routine  output,  a  count  of 
items  summarized  for  summarization  routine  output.  The  most 
commonly  used  specifications  are  assumed,  and  entries  are 
needed  only  for  those  specifications  that  differ  from  the 
assumed  ones.     Additionally  the  Print  Confirmation  routine 
may  be  used  to  generate  confirmation  notices  on  a  full  file 
basis  or  with  output  from  the  Audit  Sample  routine.  Text 
generated   is  the  standard  AICPA  text,  or  optionally  user 
generated  text.  Addresses  fit  standard  window  envelopes, 
thus  avoiding  need  for  mailing  labels. 

15.1.2  DYL  260 .  Automatic  composition  or  user  specified 
columns  can  be  used.     Page  format  can  be  specified  in  terms 
of  lines  per  page,  characters  per  line, column  spacing,  line 
spacing,  and  control  breaks.     Report  titles  can  be  specified 
with  up  to  nine  lines,  headings  and  footings,  spacing,  and 
centering.     Report  lines  can  be  specified  to  relate  to  input 
file  specifications,   several  types  of  editing,  rounding, 
justification,  and  printing  of  totals  at  control  breaks. 
Column  headings  may  contain  text  or  formulas. 

15.1.3  EASYTRIEVE.  Automatic  page  number ing , date  insertion, 
centering  for  titles  and  column  headings  is  available.  Paper 
size  options  are  8  1/2  x  11,  and  8  1/2  x  14.  Automatic  page 
ejection  is  available.  A  PRINT  command  is  used  for  text 
generation.  Ten  sort  fields,  9  levels  of  control  breaks,  25 
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fields  maximum  on  one  line, four  title  lines  which  may 
include  variable  information.  Format  controls  may  be 
overridden  to  create  special  non-standard  formats. 

15.1.4  £DP-AUDITQK.  The  output  formats  are  completely 
flexible.     The  user  can  specify  horizontal  and  vertical 
placement;  multiple  header  lines,   total  lines  and  detail 
lines;   single,  double,   triple  spacing;  page  length,  page 
numbering,  output  editing  such  as  decimal  point  placement, 
asterisk  or  comma  fill,  number  of  digits  printed,  etc. 
These  functions  can  be  specified  for  each  report  and  up  to 
100  separate  reports  can  be  printed  at  one  time.  Defaults 
are  available  for  automatic  report  formatting  and  header 
generation,   floating  dollar  sign,   filling,   totaling,  page 
numbering,  dating  etc..     Library  routines  are  provided  for 
confirmation  and  label  printing. 

15.1.5  HEWCAS .  Spacing  between  vertical  columns  can  be 
specified.     Title  and  footing  cannot  be  modified  except  by 
COBOL  program,  modification.     Automatic  zero  suppression  and 
comma  insertion  for  numeric  fields  is  available.  Line 
spacing   is  fixed.  No  automatic  page  numbering   is  available. 
Up  to  90  separate  extracted  files  can  be  produced  from  one 
input  file.  The  formats  of  the  output  files  must  be  the 
same  . 

15.1.6  MARK  IV/AUDITOR.   In  addition  to  fixed  format  reports 
there  is  flexioility  to  design  one-time  "ad-hoc"  reports. 
The  MARK  IV  capability   is  available,  which  provides  for 
output  editing,   specification  of  as  many  title  lines  as 
desireo,   specification  of  a  preface  to  be  printed  before  the 
report,  entering  of  comments,  and  specification  of  free-form 
page  forinatting.  Page  width  and  height  are  adjustable, 
number  of  detail  page  images  is  flex ible ( such  as  mailing 
labels),  column  heading  positions   ,  date  position,  page 
number  position,  and  page  numbering  are  flexible. 
Confirmation  notices  may  be  automatically  prepared  on  a 
sampling  basis,  letters  or  preprinted  forms  may  be  used,  and 
confirmation  notice  reconciliation  and  optional  second 
notice  generation  are  available.     Mailing  labels  can  be 
generated  automatically  for  confirmation  notices. 

15.1.7  SCORE.  Report  format  may  be  specified   in  terms  of 
lines  per  page,  characters  per  line,  column  control,  page 
ejection,  page  numbering  and  date  insertion.     Page  width  and 
depth  are  completely  flexible.     Automatic  or  user  controlled 
editing  for   rounding,  decimal  point  location,  leading  zero 
suppression,   floating  dollar  sign  and  asterisk  check 
protection.     Mailing  labels  and  audit  confirmation  may  be 
printed  automatically.     All  print  lines  may  contain  variable 
information  and  up  to  9  lines  may  be  spaced  after  each  print 
function.     Up  to  9  heading  and  5  footing  lines  are  available 
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per  page.     Up  to  5  uniquely  formatted  detail  lines  may  be 
printed  on  each  read  cycle.     Up  to  9  differently  formatted 
summary  lines  may  be  printed  on  up  to  6  control  breaks. 
Data  may  be  extracted  automatically  from  up  to  9  different 
tables,  with  the  optional  TABLE  LOOKUP  feature.     Up  to  99 
different  reports,  each  in  a  different  sorting  sequence,  and 
each  with  all  the  above  features,  may  be  printed  from  one 
pass  of  the  input  files  with  the  optional  MULTIPLE  REPORT 
feature. 
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16.  CONCLUSIONS 


This  overview  of  auditing  software  in  the  context  of 
the  overall  auditing  process  illustrates  the  complexities 
both  of  auditing  and  of  the  audit  software  field.  Auditing 
as  a  profession  is  changing.  Internal  auditing  is  expanding 
with  the  expanding  scope  of  organizations.  Electronic  funds 
transfer  and  automated  information  systems  of  trans  national 
corporations,  are  but  two  examples  where  expanded  scope  of 
auditing  techniques  is  required.     The  increasing  emphasis  on 
data  security  and  privacy  is  adding  a  new  dimension  to 
systems  planning  and  auditing  and  is  becoming  a  fertile 
field  for  the  auditor  and  for  software  applications.     At  the 
same  time  EDP  professionals  are  joining  auditors  in  auditing 
of  large,  complex  computerized  organizations. 

Use  of  the  terms  "audit"  and  "auditing"  in  the  broader 
sense,  meaning  system  analysis  with  respect  to  efficiency, 
quality  of  results,  relevance,  and  accuracy  is  increasing, 
and  the  internal  auditor  is  expanding     activities  beyond  the 
financial  area. 

The  term  audit  software  covers  only  a  small  part  of 
existing  computer  programs  which  could  be  used  in  auditing 
processes.     Data  management  systems  could  be  applied  to 
audit  planning,  statistical  analysis  packages  are  being 
applied  to  the  determination  of  accuracy  and  reliability  of 
numerical  tests,  and  information  retrieval  systems  could  be 
applied  to  the  collection  of  evidence  useful  not  only  in  the 
assessment  of  financial  information,  but  in  resource 
utilization  and  assessment  of  utility  of  products  and 
services.     Management  information  systems  should  be 
available  to  the  auditor  and  should  provide  useful 
information . 

The  relatively  small  sample  of  seven  systems  discussed 
here  illustrates  the  difficulty  of  description  of  a  set  of 
systems  in  common  terms.  It  would  be  desirable  to  develop 
common  denominators  for  features  of  systems,  which  could  be 
used  as  design  criteria,  and  as  evaluation  guideposts  for 
independent  evaluation  and  system  comparison. 

Although  some  software  vendors  claim  that  their  audit 
software  packages  can  be  used  by  non  computer-specialists, 
there  is  considerable  discussion  on  this  point  among  users 
of  audit  software.     It  appears  that  much  can  be  done  in 
simplifying  audit  applications,  which  would  reduce  training 
costs  and  operating  expenses  and  provide  the  independence 
for  auditors,  which  is  required  for  their  work. 
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